# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Release

on:
  push:
    branches:
      - main

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  release-please:
    permissions:
      contents: write # for googleapis/release-please-action to create release commit
      pull-requests: write # for googleapis/release-please-action to create release PR
    runs-on: ubuntu-latest

    steps:
      - uses: googleapis/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3
        id: release
        with:
          command: manifest
          token: ${{secrets.RELEASE_PLEASE_ACTION_TOKEN}}
          default-branch: main
          signoff: "OpenFeature Bot <109696520+openfeaturebot@users.noreply.github.com>"
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      release_tag_name: ${{ steps.release.outputs.tag_name }}

  release:
    runs-on: ubuntu-latest
    environment: release
    permissions:
      # IMPORTANT: this permission is mandatory for trusted publishing to pypi
      id-token: write
    needs: release-please
    if: ${{ fromJSON(needs.release-please.outputs.release_created || false) }}

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
        with:
          python-version: '3.13'

      - name: Upgrade pip
        run: pip install --upgrade pip

      - name: Install hatch
        run: pip install hatch

      - name: Build a binary wheel and a source tarball
        run: hatch build

      - name: Publish a Python distribution to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1