name: Release

on:
  workflow_dispatch:
    inputs:
      version:
        description: "The new version to set"
        required: true
      following_version:
        description: "The post (dev) version to set"
        required: true
      dry_run:
        description: "Dry Run?"
        default: false
        type: boolean

env:
  # Changes per repo
  PRODUCT_NAME: PyMongo
  # Changes per branch
  SILK_ASSET_GROUP: mongodb-python-driver
  EVERGREEN_PROJECT: mongo-python-driver

defaults:
  run:
    shell: bash -eux {0}

jobs:
  pre-publish:
    environment: release
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    outputs:
      version: ${{ steps.pre-publish.outputs.version }}
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v2
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
        id: pre-publish
        with:
          version: ${{ inputs.version }}
          dry_run: ${{ inputs.dry_run }}

  build-dist:
    needs: [pre-publish]
    uses: ./.github/workflows/dist.yml
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  static-scan:
    needs: [pre-publish]
    uses: ./.github/workflows/codeql.yml
    permissions:
      security-events: write
    with:
      ref: ${{ needs.pre-publish.outputs.version }}

  publish:
    needs: [build-dist, static-scan]
    name: Upload release to PyPI
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    steps:
      - name: Download all the dists
        uses: actions/download-artifact@v4
        with:
          name: all-dist-${{ github.run_id }}
          path: dist/
      - name: Publish package distributions to PyPI
        if: startsWith(inputs.dry_run, 'false')
        uses: pypa/gh-action-pypi-publish@release/v1

  post-publish:
    needs: [publish]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
      contents: write
      attestations: write
      security-events: write
    steps:
      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: mongodb-labs/drivers-github-tools/setup@v2
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: ${{ vars.AWS_REGION_NAME }}
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
      - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
        with:
          version: ${{ inputs.version }}
          following_version: ${{ inputs.following_version }}
          product_name: ${{ env.PRODUCT_NAME }}
          silk_asset_group: ${{ env.SILK_ASSET_GROUP }}
          evergreen_project: ${{ env.EVERGREEN_PROJECT }}
          token: ${{ github.token }}
          dry_run: ${{ inputs.dry_run }}