release-please.yml

name: Release

on:
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      force_release:
        description: 'Force release build (use existing tag)'
        required: false
        default: 'false'
        type: choice
        options:
          - 'false'
          - 'true'
      release_tag:
        description: 'Tag to release (e.g., cachekit-v0.1.0)'
        required: false
        type: string

permissions:
  contents: write
  pull-requests: write

jobs:
  release-please:
    name: Release Please
    runs-on: ubuntu-latest
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
      version: ${{ steps.release.outputs.version }}
    steps:
      # Use GitHub App for token vending (avoids branch protection issues with GITHUB_TOKEN)
      # If APP_ID/APP_PRIVATE_KEY not set, falls back to GITHUB_TOKEN
      - name: Generate GitHub App token
        id: app-token
        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
        if: ${{ vars.USE_APP_TOKEN == 'true' }}
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Run release-please
        id: release
        uses: googleapis/release-please-action@c3fc4de07084f75a2b61a5b933069bda6edf3d5c # v4
        with:
          manifest-file: .release-please-manifest.json
          config-file: release-please-config.json
          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}

  build-wheels:
    name: Build wheels (${{ matrix.target }})
    needs: release-please
    # Run if: release-please created a release OR manual dispatch with force_release
    if: needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true'
    strategy:
      matrix:
        include:
          # Linux builds - must specify interpreters explicitly (manylinux has 3.8+ but we support 3.9+)
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
          # macOS/Windows - must specify interpreters explicitly (auto-discovery unreliable)
          - os: macos-latest
            target: x86_64-apple-darwin
            interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
          - os: macos-latest
            target: aarch64-apple-darwin
            interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
          - os: windows-latest
            target: x86_64-pc-windows-msvc
            interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
          # aarch64 Linux cross-compilation - must specify Python versions explicitly
          # (cross containers don't have discoverable Python interpreters)
          # Uses manylinux_2_28 for modern GCC (fixes ring crate aarch64 build)
          - os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
            interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
            manylinux: "2_28"
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          # Use release-please tag or manual input tag
          ref: ${{ needs.release-please.outputs.tag_name || github.event.inputs.release_tag }}

      # Python setup required for native builds (macOS/Windows) to discover interpreters
      # Linux uses Docker containers which have Python pre-installed
      - name: Set up Python
        if: matrix.os != 'ubuntu-latest'
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: |
            3.9
            3.10
            3.11
            3.12
            3.13

      - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
        with:
          target: ${{ matrix.target }}
          args: --release --out dist ${{ matrix.interpreter }}
          manylinux: ${{ matrix.manylinux || 'auto' }}
          rust-toolchain: stable

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: wheels-${{ matrix.target }}
          path: dist

  build-sdist:
    name: Build source distribution
    needs: release-please
    if: needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ needs.release-please.outputs.tag_name || github.event.inputs.release_tag }}

      - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1
        with:
          command: sdist
          args: --out dist
          rust-toolchain: stable

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: sdist
          path: dist

  publish:
    name: Publish to PyPI
    needs: [release-please, build-wheels, build-sdist]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write

    steps:
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          pattern: wheels-*
          merge-multiple: true
          path: dist

      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: sdist
          path: dist

      - name: Publish to PyPI (Trusted Publishing)
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1