---
name: release python

on:
  push:
    branches: [master]
    tags:
      - '**'
  workflow_dispatch:

jobs:
  build_sdist:
    name: Build source distribution
    runs-on: ubuntu-latest
    env:
      PYTHON_VERSION: "3.10"
    container:
      image: ghcr.io/linux-nvme/debian.python:latest
    steps:
      - uses: actions/checkout@v4

      - name: Allow workspace
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

      - name: Build sdist
        run: pipx run build --sdist

      - uses: actions/upload-artifact@v4
        with:
          path: dist/*.tar.gz
          retention-days: 5

  upload_test_pypi:
    needs: [build_sdist]
    runs-on: ubuntu-latest
    env:
      PYTHON_VERSION: "3.10"
    environment: pypi
    permissions:
      id-token: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: artifact
          path: dist

      - name: Publish package to TestPyPI
        uses: pypa/gh-action-pypi-publish@v1.12.4
        with:
          repository-url: https://test.pypi.org/legacy/

  upload_pypi:
    needs: [build_sdist]
    runs-on: ubuntu-latest
    env:
      PYTHON_VERSION: "3.10"
    environment: pypi
    permissions:
      id-token: write
    if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'linux-nvme/libnvme'
    steps:
      - name: Check if it is a release tag
        id: check-tag
        run: |
           if [[ ${{ github.event.ref }} =~ ^refs/tags/v([0-9]+\.[0-9]+)(\.[0-9]+)?(-rc[0-9]+)?$ ]]; then
               echo ::set-output name=match::true
           fi

      - name: Download artifiact
        uses: actions/download-artifact@v4
        if: steps.check-tag.outputs.match == 'true'
        with:
          name: artifact
          path: dist

      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@v1.12.4
        if: steps.check-tag.outputs.match == 'true'