# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Release

on:
  push:
    branches:
      - main

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  release-please:
    permissions:
      contents: write # for googleapis/release-please-action to create release commit
      pull-requests: write # for googleapis/release-please-action to create release PR
    runs-on: ubuntu-latest

    steps:
      - uses: googleapis/release-please-action@v4
        id: release
        with:
          token: ${{secrets.RELEASE_PLEASE_ACTION_TOKEN}}
          target-branch: main
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      release_tag_name: ${{ steps.release.outputs.tag_name }}

  release:
    runs-on: ubuntu-latest
    environment: release
    permissions:
      # IMPORTANT: this permission is mandatory for trusted publishing to pypi
      id-token: write
    needs: release-please
    if: ${{ needs.release-please.outputs.release_created }}
    container:
      image: "python:3.12"

    steps:
      - uses: actions/checkout@v4

      - name: Upgrade pip
        run: pip install --upgrade pip

      - name: Install hatch
        run: pip install hatch

      - name: Build a binary wheel and a source tarball
        run: hatch build

      - name: Publish a Python distribution to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1