---

name: CI/CD

on:

push:

branches:

- master

- release/**

# default token permissions = none

permissions: {}

jobs:

eval-changes:

name: Evaluate changes

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

with:

fetch-depth: 100 # Must at least retrieve a set of commits to compare changes

# primarily because of any 'Rebase and Merge' PR action in GitHub

- name: Evaluate | Check common file types for changes

id: core-changed-files

uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 #v47.0.0

with:

base_sha: ${{ github.event.push.before }}

files_yaml_from_source_file: .github/changed-files-spec.yml

- name: Evaluate | Check specific file types for changes

id: ci-changed-files

uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 #v47.0.0

with:

base_sha: ${{ github.event.push.before }}

files_yaml: |

ci:

- .github/workflows/cicd.yml

- .github/workflows/validate.yml

- name: Evaluate | Detect if any of the combinations of file sets have changed

id: all-changes

run: |

printf '%s\n' "any_changed=false" >> $GITHUB_OUTPUT

if [ "${{ steps.core-changed-files.outputs.build_any_changed }}" == "true" ] || \

[ "${{ steps.ci-changed-files.outputs.ci_any_changed }}" == "true" ] || \

[ "${{ steps.core-changed-files.outputs.docs_any_changed }}" == "true" ] || \

[ "${{ steps.core-changed-files.outputs.src_any_changed }}" == "true" ] || \

[ "${{ steps.core-changed-files.outputs.tests_any_changed }}" == "true" ] || \

[ "${{ steps.core-changed-files.outputs.gha_src_any_changed }}" == "true" ] || \

[ "${{ steps.core-changed-files.outputs.gha_tests_any_changed }}" == "true" ]; then

printf '%s\n' "any_changed=true" >> $GITHUB_OUTPUT

fi

outputs:

any-file-changes: ${{ steps.all-changes.outputs.any_changed }}

build-changes: ${{ steps.core-changed-files.outputs.build_any_changed }}

ci-changes: ${{ steps.ci-changed-files.outputs.ci_any_changed }}

doc-changes: ${{ steps.core-changed-files.outputs.docs_any_changed }}

src-changes: ${{ steps.core-changed-files.outputs.src_any_changed }}

test-changes: ${{ steps.core-changed-files.outputs.tests_any_changed }}

gha-src-changes: ${{ steps.core-changed-files.outputs.gha_src_any_changed }}

gha-test-changes: ${{ steps.core-changed-files.outputs.gha_tests_any_changed }}

validate:

uses: ./.github/workflows/validate.yml

needs: eval-changes

concurrency:

group: ${{ github.workflow }}-validate-${{ github.ref_name }}

cancel-in-progress: true

with:

# It was a bit of overkill before testing every minor version, and since this project is all about

# SemVer, we should expect Python to adhere to that model to. Therefore Only test across 2 OS's but

# the lowest supported minor version and the latest stable minor version.

python-versions-linux: '["3.8", "3.14"]'

python-versions-windows: '["3.8", "3.14"]'

files-changed: ${{ needs.eval-changes.outputs.any-file-changes }}

build-files-changed: ${{ needs.eval-changes.outputs.build-changes }}

ci-files-changed: ${{ needs.eval-changes.outputs.ci-changes }}

doc-files-changed: ${{ needs.eval-changes.outputs.doc-changes }}

src-files-changed: ${{ needs.eval-changes.outputs.src-changes }}

test-files-changed: ${{ needs.eval-changes.outputs.test-changes }}

gha-src-files-changed: ${{ needs.eval-changes.outputs.gha-src-changes }}

gha-test-files-changed: ${{ needs.eval-changes.outputs.gha-test-changes }}

permissions: {}

secrets: {}

release:

name: Semantic Release

runs-on: ubuntu-latest

needs: validate

if: ${{ needs.validate.outputs.new-release-detected == 'true' }}

concurrency:

group: ${{ github.workflow }}-release-${{ github.ref_name }}

cancel-in-progress: false

permissions:

contents: write

env:

GITHUB_ACTIONS_AUTHOR_NAME: github-actions

GITHUB_ACTIONS_AUTHOR_EMAIL: actions@users.noreply.github.com

steps:

# Note: We checkout the repository at the branch that triggered the workflow

# with the entire history to ensure to match PSR's release branch detection

# and history evaluation.

# However, we forcefully reset the branch to the workflow sha because it is

# possible that the branch was updated while the workflow was running. This

# prevents accidentally releasing un-evaluated changes.

- name: Setup | Checkout Repository on Release Branch

uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

with:

ref: ${{ github.ref_name }}

fetch-depth: 0

- name: Setup | Force release branch to be at workflow sha

run: |

git reset --hard ${{ github.sha }}

- name: Setup | Download Build Artifacts

uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

id: artifact-download

with:

name: ${{ needs.validate.outputs.distribution-artifacts }}

path: dist

- name: Release | Bump Version in Docs

if: needs.validate.outputs.new-release-is-prerelease == 'false'

env:

NEW_VERSION: ${{ needs.validate.outputs.new-release-version }}

NEW_RELEASE_TAG: ${{ needs.validate.outputs.new-release-tag }}

run: |

python -m scripts.bump_version_in_docs

git add docs/*

- name: Evaluate | Verify upstream has NOT changed

# Last chance to abort before causing an error as another PR/push was applied to the upstream branch

# while this workflow was running. This is important because we are committing a version change

shell: bash

run: bash .github/workflows/verify_upstream.sh

- name: Release | Python Semantic Release

id: release

uses: python-semantic-release/python-semantic-release@4d4cb0ab842247caea1963132c242c62aab1e4d5 # v10.4.1

with:

github_token: ${{ secrets.GITHUB_TOKEN }}

verbosity: 1

build: false

- name: Release | Add distribution artifacts to GitHub Release Assets

uses: python-semantic-release/publish-action@ae6462adc12bd3d1738070d784b65b5189b955a9 # v10.4.1

if: steps.release.outputs.released == 'true'

with:

github_token: ${{ secrets.GITHUB_TOKEN }}

tag: ${{ steps.release.outputs.tag }}

- name: Release | Update Minor Release Tag Reference

if: steps.release.outputs.released == 'true' && steps.release.outputs.is_prerelease == 'false'

env:

FULL_VERSION_TAG: ${{ steps.release.outputs.tag }}

GIT_COMMITTER_NAME: ${{ env.GITHUB_ACTIONS_AUTHOR_NAME }}

GIT_COMMITTER_EMAIL: ${{ env.GITHUB_ACTIONS_AUTHOR_EMAIL }}

run: |

MINOR_VERSION_TAG="$(echo "$FULL_VERSION_TAG" | cut -d. -f1,2)"

git tag --force --annotate "$MINOR_VERSION_TAG" "${FULL_VERSION_TAG}^{}" -m "$MINOR_VERSION_TAG"

git push -u origin "$MINOR_VERSION_TAG" --force

- name: Release | Update Major Release Tag Reference

if: steps.release.outputs.released == 'true' && steps.release.outputs.is_prerelease == 'false'

env:

FULL_VERSION_TAG: ${{ steps.release.outputs.tag }}

GIT_COMMITTER_NAME: ${{ env.GITHUB_ACTIONS_AUTHOR_NAME }}

GIT_COMMITTER_EMAIL: ${{ env.GITHUB_ACTIONS_AUTHOR_EMAIL }}

run: |

MAJOR_VERSION_TAG="$(echo "$FULL_VERSION_TAG" | cut -d. -f1)"

git tag --force --annotate "$MAJOR_VERSION_TAG" "${FULL_VERSION_TAG}^{}" -m "$MAJOR_VERSION_TAG"

git push -u origin "$MAJOR_VERSION_TAG" --force

outputs:

released: ${{ steps.release.outputs.released || 'false' }}

new-release-version: ${{ steps.release.outputs.version }}

new-release-tag: ${{ steps.release.outputs.tag }}

deploy:

name: Deploy

runs-on: ubuntu-latest

if: ${{ needs.release.outputs.released == 'true' && github.repository == 'python-semantic-release/python-semantic-release' }}

needs:

- validate

- release

environment:

name: pypi

url: https://pypi.org/project/python-semantic-release/

permissions:

# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#metadata

id-token: write # needed for PyPI upload

steps:

- name: Setup | Download Build Artifacts

uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

id: artifact-download

with:

name: ${{ needs.validate.outputs.distribution-artifacts }}

path: dist

# see https://docs.pypi.org/trusted-publishers/

- name: Publish package distributions to PyPI

id: pypi-publish

uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

with:

packages-dir: dist

print-hash: true

verbose: true