name: Publish a release

# GitHub events that trigger the workflow:
on:
  release:
    types:
      - published
jobs:
  test:
    name: Run Tests
    uses: ./.github/workflows/test.yaml

  # update_files:
  #   name: Update schema.json, examples, and entry figures
  #   uses: ./.github/workflows/update-files.yaml
  #   needs:
  #     - test

  build:
    name: Build Package
    needs:
      - test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Install uv
        uses: astral-sh/setup-uv@v7

      - name: Check if the release tag matches the version
        uses: samuelcolvin/check-python-version@v5
        with:
          version_file_path: src/rendercv/__init__.py

      - name: Build
        run: uv build

      - name: Upload the wheel and source distribution as artifacts
        uses: actions/upload-artifact@v5
        with:
          name: dist
          path: dist

  create_executables:
    name: Create Executables
    needs:
      - test
    uses: ./.github/workflows/create-executables.yaml

  create_github_release:
    name: Add assets to the GitHub Release
    needs:
      - build
      - create_executables
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Download the executables
        uses: actions/download-artifact@v6
        with:
          pattern: rendercv-*
          merge-multiple: false

      - name: Download the build artifacts
        uses: actions/download-artifact@v6
        with:
          name: dist
          path: dist

      - name: Add assets to the GitHub release
        uses: softprops/action-gh-release@v2
        with:
          files: |
            rendercv-*/rendercv-linux-ARM64.zip
            rendercv-*/rendercv-linux-x86_64.zip
            rendercv-*/rendercv-macos-ARM64.zip
            rendercv-*/rendercv-windows-x86_64.zip
            dist/rendercv-*.whl

  publish_to_pypi:
    name: Publish to PyPI
    needs:
      - create_github_release
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    steps:
      - name: Download the build artifacts
        uses: actions/download-artifact@v6
        with:
          name: dist
          path: dist

      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1

  publish_docker_to_ghcr:
    name: Push Docker image to GitHub Container Registry
    runs-on: ubuntu-latest
    needs:
      - publish_to_pypi
    permissions:
      packages: write
      contents: read
      attestations: write
      id-token: write
    steps:
      - name: Check out the repo
        uses: actions/checkout@v6

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/${{ github.repository }}

      - name: Build and push Docker images
        id: push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v3
        with:
          subject-name: ghcr.io/${{ github.repository }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true