.github/workflows/pypi.yml

# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries

name: Publish to PyPi

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  release:
    types: [ released ]

jobs:
  build:
    uses: samsung/supplychainassurance/.github/workflows/python_builder.yml@v1.0.2
    with:
      version: "3.11"
      upload: ${{ 'release' == github.event_name }}

  slsa_release:
    needs: [ build ]
    if: ${{ 'release' == github.event_name }}
    permissions:
      id-token: write
    uses: samsung/supplychainassurance/.github/workflows/slsa_release.yml@v1.0.2
    with:
      hash: "${{ needs.build.outputs.hash }}"
      artifact: "${{ needs.build.outputs.artifact }}"
      build_cmd: "${{ needs.build.outputs.build_command }}"
    secrets:
      EXPECTED_REPOSITORY: "${{ secrets.EXPECTED_REPOSITORY }}"
      ECODETOKEN: "${{ secrets.ECODE_TOKEN }}"

  upload_asset:
    needs: [ build, slsa_release ]
    if: ${{ 'release' == github.event_name }}
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: Upload Assets
      uses: samsung/supplychainassurance/.github/actions/upload-release-asset@v1.0.2
      env:
        GITHUBTOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        artifacts: ${{ needs.slsa_release.outputs.artifacts }}

  deploy:
    runs-on: ubuntu-latest
    needs: [ build, slsa_release, upload_asset ]
    steps:
    - name: Download Artifacts
      if: ${{ 'release' == github.event_name }}
      id: download
      uses: samsung/supplychainassurance/.github/actions/download-artifact@v1.0.2
      with:
        hash: ${{ needs.build.outputs.hash }}

    - name: Set up Python
      uses: actions/setup-python@v3
      with:
        python-version: "3.11"

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install twine

    - name: Publish
      if: ${{ 'release' == github.event_name }}
      env:
        TWINE_USERNAME: __token__
        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
      run: |
        cd ${{ steps.download.outputs.outdir }}
        twine upload ${{ needs.build.outputs.artifact }}