.github/workflows/build.yml

name: Build

on: [push, pull_request]

jobs:
  test:

    runs-on: ubuntu-latest
    strategy:
      matrix:
        python_version: ['3.8', '3.9', '3.10', '3.11', '3.12']

    steps:
    - uses: actions/checkout@v4
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: ${{ matrix.python_version }}
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install hatch
        hatch env create
    - name: Lint and typecheck
      run: |
        hatch run lint-check
    - name: Test
      run: |
        hatch run test-cov-xml
    - uses: codecov/codecov-action@v4
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        fail_ci_if_error: true
        verbose: true

  release:
    runs-on: ubuntu-latest
    environment: release
    needs: test
    if: startsWith(github.ref, 'refs/tags/')
    permissions:
        contents: write
        id-token: write

    steps:
    - uses: actions/checkout@v4
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.8'
    - name: Install dependencies
      shell: bash
      run: |
        python -m pip install --upgrade pip
        pip install hatch
    - name: mint API token
      id: mint-token
      run: |
        # retrieve the ambient OIDC token
        resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
        "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
        oidc_token=$(jq -r '.value' <<< "${resp}")

        # exchange the OIDC token for an API token
        resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
        api_token=$(jq -r '.token' <<< "${resp}")

        # mask the newly minted API token, so that we don't accidentally leak it
        echo "::add-mask::${api_token}"

        # see the next step in the workflow for an example of using this step output
        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
    - name: Build and publish on PyPI
      env:
        HATCH_INDEX_USER: __token__
        HATCH_INDEX_AUTH: ${{ steps.mint-token.outputs.api-token }}
      run: |
        hatch build
        hatch publish
    - name: Create release
      uses: ncipollo/release-action@v1
      with:
        draft: true
        body: ${{ github.event.head_commit.message }}
        artifacts: dist/*.whl,dist/*.tar.gz
        token: ${{ secrets.GITHUB_TOKEN }}