ci: rc publish workflow

Author: Trup3s

.github/workflows/publish.yml

@@ -1,13 +1,17 @@
-name: Publish Python Package
+name: Continuous Delivery
 
 on:
   push:
-    tags:
-      - "v*.*.*"
+    branches:
+      - main
+      - rc
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-release-${{ github.ref_name }}
+      cancel-in-progress: false
     environment: pypi
     permissions:
       id-token: write
@@ -16,6 +20,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: Setup | Force release branch to be at workflow sha
+        run: |
+          git reset --hard ${{ github.sha }}
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -32,19 +43,61 @@ jobs:
           virtualenvs-create: false
           installer-parallel: true
 
-      - name: Build package
-        run: poetry build
+      - name: Evaluate | Verify upstream has NOT changed
+        # Last chance to abort before causing an error as another PR/push was applied to
+        # the upstream branch while this workflow was running. This is important
+        # because we are committing a version change (--commit). You may omit this step
+        # if you have 'commit: false' in your configuration.
+        #
+        # You may consider moving this to a repo script and call it from this step instead
+        # of writing it in-line.
+        shell: bash
+        run: |
+          set +o pipefail
 
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+          UPSTREAM_BRANCH_NAME="$(git status -sb | head -n 1 | cut -d' ' -f2 | grep -E '\.{3}' | cut -d'.' -f4)"
+          printf '%s\n' "Upstream branch name: $UPSTREAM_BRANCH_NAME"
+
+          set -o pipefail
+
+          if [ -z "$UPSTREAM_BRANCH_NAME" ]; then
+              printf >&2 '%s\n' "::error::Unable to determine upstream branch name!"
+              exit 1
+          fi
+
+          git fetch "${UPSTREAM_BRANCH_NAME%%/*}"
+
+          if ! UPSTREAM_SHA="$(git rev-parse "$UPSTREAM_BRANCH_NAME")"; then
+              printf >&2 '%s\n' "::error::Unable to determine upstream branch sha!"
+              exit 1
+          fi
 
-      - name: Upload package to GitHub Releases
-        uses: softprops/action-gh-release@v1
+          HEAD_SHA="$(git rev-parse HEAD)"
+
+          if [ "$HEAD_SHA" != "$UPSTREAM_SHA" ]; then
+              printf >&2 '%s\n' "[HEAD SHA] $HEAD_SHA != $UPSTREAM_SHA [UPSTREAM SHA]"
+              printf >&2 '%s\n' "::error::Upstream has changed, aborting release..."
+              exit 1
+          fi
+
+          printf '%s\n' "Verified upstream branch has not changed, continuing with release..."
+
+      - name: Action | Semantic Version Release
+        id: release
+        # Adjust tag with desired version if applicable.
+        uses: python-semantic-release/python-semantic-release@v9.21.1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_committer_name: "github-actions"
+          git_committer_email: "actions@users.noreply.github.com"
+
+      - name: Publish | Upload to GitHub Release Assets
+        uses: python-semantic-release/publish-action@v9.21.1
+        if: steps.release.outputs.released == 'true'
         with:
-          tag_name: ${{ github.ref }}
-          generate_release_notes: true
-          files: |
-            dist/*.tar.gz
-            dist/*.whl
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release.outputs.tag }}
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        if: steps.release.outputs.released == 'true'

poetry.lock

@@ -21,17 +21,40 @@ dependencies = [
 ]
 
 
+[project.urls]
+Homepage = "https://github.com/Trup3s/resimulate"
+Repository = "https://github.com/Trup3s/resimulate"
+
+
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]
 build-backend = "poetry.core.masonry.api"
 
 [tool.poetry.group.dev.dependencies]
-ruff = "^0.11.8"
+ruff = "^0.11.9"
 pre-commit = "^4.2.0"
 pytest = "^8.3.5"
 
 [tool.poetry.scripts]
 resimulate = "resimulate.cli:run"
 
+[tool.semantic_release]
+upload_to_pypi = true
+upload_to_release = true
+build_command = "poetry build"
+branch = "main"
+changelog_file = "CHANGELOG.md"
+commit_author = "github-actions <github-actions@github.com>"
+major_on_zero = false
+
+[tool.semantic_release.branches.main]
+match = "main"
+prerelease = false
+
+[tool.semantic_release.branches."rc"]
+match = "rc"
+prerelease = true
+prerelease_token = "rc"
+
 [tool.basedpyright]
 venvPath = "."