name: Release

on:
  workflow_dispatch:
    inputs:
      following_version:
        description: "The post (dev) version to set"
      dry_run:
        description: "Dry Run?"
        default: false
        type: boolean
  schedule:
    - cron:  '30 5 * * *'

env:
  # Changes per repo
  PRODUCT_NAME: PyMongo
  # Changes per branch
  EVERGREEN_PROJECT: mongo-python-driver-release
  # Constant
  # inputs will be empty on a scheduled run.  so, we only set dry_run
  # to 'false' when the input is set to 'false'.
  DRY_RUN: ${{ ! contains(inputs.dry_run, 'false') }}
  FOLLOWING_VERSION: ${{ inputs.following_version || '' }}

defaults:
  run:
    shell: bash -eux {0}

jobs:
  pre-publish:
    environment: release
    runs-on: ubuntu-latest
    if: github.repository_owner == 'mongodb' || github.event_name == 'workflow_dispatch'
    permissions:
      id-token: write
      contents: write
    outputs:
      version: ${{ steps.pre-publish.outputs.version }}
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v2
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
        id: pre-publish
        with:
          dry_run: ${{ env.DRY_RUN }}

  build-dist:
    needs: [pre-publish]
    uses: ./.github/workflows/dist.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  static-scan:
    needs: [pre-publish]
    uses: ./.github/workflows/codeql.yml
    permissions:
      security-events: write
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  publish:
    needs: [build-dist, static-scan]
    name: Upload release to PyPI
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    steps:
      - name: Download all the dists
        uses: actions/download-artifact@v4
        with:
          name: all-dist-${{ github.run_id }}
          path: dist/
      - name: Publish package distributions to TestPyPI
        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          skip-existing: true
          attestations: ${{ env.DRY_RUN }}
      - name: Publish package distributions to PyPI
        if: startsWith(env.DRY_RUN, 'false')
        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1

  post-publish:
    needs: [publish]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
      contents: write
      attestations: write
      security-events: write
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v2
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
      - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
        with:
          following_version: ${{ env.FOLLOWING_VERSION }}
          product_name: ${{ env.PRODUCT_NAME }}
          evergreen_project: ${{ env.EVERGREEN_PROJECT }}
          token: ${{ github.token }}
          dry_run: ${{ env.DRY_RUN }}