.github/workflows/package-pypi.yml

name: Package for PyPI

on: [workflow_call]

permissions: {}
defaults:
  run:
    shell: bash

jobs:
  pypi-sdist:
    runs-on: ubuntu-latest
    env:
      CODESIGN: 0
    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-python@v5
      with:
        python-version: 3.12
    - name: Install dependencies (Linux)
      if: runner.os == 'linux'
      run: |
        sudo apt-get update
        sudo apt-get install libegl1
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install --upgrade setuptools
        pip install --upgrade -r requirements.txt
    - name: Run tests
      timeout-minutes: 30
      run: |
        python setup.py test
    - name: Build Python source distribution
      run: |
        git clean -dfx
        python setup.py clean sdist --formats=gztar,zip
    - name: Prepare GPG signing key
      run: |
        if [ -n "$CODESIGN_GPG_URL" ] && [ -n "$AWS_ACCESS_KEY_ID" ]; then
          pip3 install awscli
          aws s3 cp "$CODESIGN_GPG_URL" signkey.asc.enc
          openssl enc -d -aes-256-cbc -pbkdf2 -iter 600000 -in signkey.asc.enc -out signkey.asc -k "$CODESIGN_GPG_PASSWORD"
          gpg --import signkey.asc
          rm signkey.asc*
          echo "CODESIGN=1" >> $GITHUB_ENV
        else
          echo "::warning::No signing key available, skipping code signing."
        fi
      env:
        AWS_DEFAULT_REGION: eu-central-1
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        CODESIGN_GPG_URL: ${{ secrets.CODESIGN_GPG_URL }}
        CODESIGN_GPG_PASSWORD: ${{ secrets.CODESIGN_GPG_PASSWORD }}
    - name: Sign source archives
      if: env.CODESIGN == '1'
      run: |
        for f in dist/*.{zip,tar.gz}; do
          gpg --armor --local-user "$CODESIGN_GPG_IDENTITY" --output "${f}.asc" --detach-sig "$f"
        done
      env:
        CODESIGN_GPG_IDENTITY: 68990DD0B1EDC129B856958167997E14D563DA7C
    - name: Cleanup
      if: env.CODESIGN == '1'
      run: |
        rm -rf "$HOME/.gnupg"
    - name: Upload artifacts
      uses: actions/upload-artifact@v4
      with:
        name: picard-sdist
        path: dist/*

  pypi-bdist:
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [macos-13, windows-2019]
        python-version: ['3.9', '3.10', '3.11', '3.12']
    steps:
    - uses: actions/checkout@v4
    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v5
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install gettext (macOS)
      if: runner.os == 'macOS'
      run: |
        brew install gettext
        brew link gettext --force
        echo "/usr/local/opt/gettext/bin" >> $GITHUB_PATH
    - name: Install gettext (Windows)
      if: runner.os == 'Windows'
      run: |
        & .\scripts\package\win-setup-gettext.ps1 `
          -GettextVersion $Env:GETTEXT_VERSION -GettextSha256Sum $Env:GETTEXT_SHA256SUM
        Add-Content $env:GITHUB_PATH (Join-Path -Path (Resolve-Path .) -ChildPath gettext\bin)
      shell: pwsh
      env:
        GETTEXT_VERSION: 0.22.4
        GETTEXT_SHA256SUM: 220068ac0b9e7aedda03534a3088e584640ac1e639800b3a0baa9410aa6d012a
    - name: Install dependencies (Linux)
      if: runner.os == 'linux'
      run: |
        sudo apt-get update
        sudo apt-get install libegl1
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install --upgrade setuptools wheel
        pip install --upgrade -r requirements.txt
    - name: Run tests
      timeout-minutes: 30
      run: |
        python setup.py test
    - name: Build Python binary distribution
      run: |
        python setup.py clean bdist_wheel
    - name: Upload artifacts
      uses: actions/upload-artifact@v4
      with:
        name: picard-bdist-${{ runner.os }}-${{ matrix.python-version }}
        path: dist/*.whl

  pypi-release:
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    needs:
      - pypi-bdist
      - pypi-sdist
    environment:
      name: pypi
      url: https://pypi.org/p/picard
    permissions:
      id-token: write  # required for PyPI upload
    steps:
    - uses: actions/download-artifact@v4
      with:
        pattern: picard-?dist*
        path: dist/
        merge-multiple: true
    - name: Prepare distributions
      run: |
        ls -l dist/
        # Remove zip source distribution (only a single sdist is allowed)
        rm dist/picard-*.zip*
    - name: Publish package distributions to PyPI
      uses: pypa/gh-action-pypi-publish@release/v1