Skip to content

Merge pull request #69 from foundryside-dev/release/consolidation-202… #12

Merge pull request #69 from foundryside-dev/release/consolidation-202…

Merge pull request #69 from foundryside-dev/release/consolidation-202… #12

Workflow file for this run

name: Release
on:
push:
tags: ["v*"]
permissions:
contents: read
jobs:
build:
name: Build distributions
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
python-version: "3.13"
- name: Build
run: uv build
- name: Guard tag matches built version
# Refuse to publish if the pushed tag (vX.Y.Z) doesn't match the version
# hatchling stamped into the built distributions — prevents tagging one
# version while _version.py says another.
run: |
TAG="${GITHUB_REF_NAME#v}"
test -f "dist/wardline-${TAG}.tar.gz" || { echo "tag $TAG does not match built dist:"; ls -1 dist; exit 1; }
- name: Record artifact hashes
run: |
cd dist
sha256sum * > SHA256SUMS
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: dist
path: dist/
publish:
name: Publish to PyPI
runs-on: ubuntu-latest
needs: build
environment: pypi
permissions:
id-token: write
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: dist
path: dist/
- name: Verify artifact hashes
run: |
cd dist
sha256sum --check SHA256SUMS
- name: Drop checksum file before publish
# pypa/gh-action-pypi-publish twine-uploads the ENTIRE packages dir (dist/)
# unconditionally; SHA256SUMS is not a distribution, so leaving it here makes
# twine reject it ("Unknown distribution format") and blocks the release.
# Verification above already consumed it.
run: rm -f dist/SHA256SUMS
- uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0