From 6b5a44aa7d1d0b628ddc039698230b4b790a92b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Ram=C3=ADrez=20Mondrag=C3=B3n?=
 <16805946+edgarrmondragon@users.noreply.github.com>
Date: Tue, 13 Aug 2024 16:34:15 -0600
Subject: [PATCH] ci: Let us create lightweight pre-release tags (#2581)

---
 .github/workflows/release.yml | 58 +++++++++++++++++++++++++++++------
 1 file changed, 48 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 712f2e3db..cfb5ac75e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   build:
+    name: Build artifacts
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -12,8 +13,44 @@ jobs:
         fetch-depth: 0
     - uses: hynek/build-and-inspect-python-package@v2
 
+  check-tag:
+    name: Check tag
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    outputs:
+      is_final: ${{ steps.check.outputs.is_final }}
+    steps:
+    - name: Check if tag is a pre-release
+      id: check
+      run: |
+        echo "is_final=$(echo '${{ github.ref }}' | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$' && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT
+
+  provenance:
+    name: Provenance
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write     # Needed for attestations
+      attestations: write # Needed for attestations
+    outputs:
+      bundle-path: ${{ steps.attest.outputs.bundle-path }}
+    steps:
+    - uses: actions/download-artifact@v4
+      with:
+        name: Packages
+        path: dist
+    - uses: actions/attest-build-provenance@v1
+      id: attest
+      with:
+        subject-path: "./dist/singer_sdk*"
+    - uses: actions/upload-artifact@v4
+      with:
+        name: Attestations
+        path: ${{ steps.attest.outputs.bundle-path }}
+
   publish:
-    name: Publish to PyPI
+    name: PyPI
     runs-on: ubuntu-latest
     needs: [build]
     environment:
@@ -33,18 +70,22 @@ jobs:
   upload-to-release:
     name: Upload files to release
     runs-on: ubuntu-latest
-    needs: [build]
-    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build, check-tag, provenance]
+    if: ${{ startsWith(github.ref, 'refs/tags/') && needs.check-tag.outputs.is_final == 'true' }}
     permissions:
       contents: write     # Needed for uploading files to the release
-      id-token: write     # Needed for attestations
-      attestations: write # Needed for attestations
 
     steps:
     - uses: actions/download-artifact@v4
       with:
         name: Packages
         path: dist
+
+    - uses: actions/download-artifact@v4
+      with:
+        name: Attestations
+        path: attestations
+
     - name: Upload wheel and sdist to release
       uses: svenstaro/upload-release-action@v2
       with:
@@ -52,14 +93,11 @@ jobs:
         tag: ${{ github.ref }}
         overwrite: true
         file_glob: true
-    - uses: actions/attest-build-provenance@v1
-      id: attest
-      with:
-        subject-path: "./dist/singer_sdk*"
+
     - name: Upload attestations to release
       uses: svenstaro/upload-release-action@v2
       with:
-        file: ${{ steps.attest.outputs.bundle-path }}
+        file: attestations/attestation.jsonl
         tag: ${{ github.ref }}
         overwrite: true
         asset_name: attestations.intoto.jsonl