chore(ci): refactor workflows, enable github releases and define branch policies under .releaserc, publish to pypi via trusted publishing mechanism

Author: hleb-rubanau

.github/actions/refetch-artifacts/action.yml

@@ -0,0 +1,12 @@
+name: Refetch artifacts
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/download-artifact@v4
+      with:
+        name: wheel
+        path: ./dist
+    - uses: actions/download-artifact@v4
+      with:
+        name: sdist 
+        path: ./dist

.github/actions/setup-semantic-release/action.yml

@@ -14,5 +14,6 @@ runs:
       semantic-release                          \
       @semantic-release/exec                    \
       @semantic-release/git                     \
+      @semantic-release/github                  \
       @semantic-release/changelog               \
       @google/semantic-release-replace-plugin

.github/workflows/lint-and-test.yml

@@ -0,0 +1,41 @@
+name: Lint and test
+on: 
+  pull_request:
+  push:
+    branches:
+      - master
+      - 'ci/**'         # ci testing, pre-releases
+      #- 'feature/**'    
+
+jobs:
+  lint: 
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5
+    - uses: ./.github/actions/setup
+    - name: Lint
+      id: lint
+      run: tox -e lint  
+      continue-on-error: true
+    - name: Emit warning if lint failed
+      if: ${{ steps.lint.outcome != 'success' }}
+      run: echo "::warning::Linter failure suppressed (continue-on-error=true)"
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+        python: 
+          - "3.12"
+          - "3.11"
+          - "3.10"
+          - "3.9.14"
+          - "3.8"
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v5
+    - uses: ./.github/actions/setup
+      with:
+        python: ${{ matrix.python }}
+    - name: Test
+      run: tox

.github/workflows/main.yml

@@ -0,0 +1,97 @@
+name: Release
+
+on:
+  workflow_run:
+    workflows: ["Lint and test"]
+    types:
+      - completed
+    branches:
+      - master
+      - 'ci/**'         # ci testing, pre-releases
+      #- develop        # can emit -dev releases but we do not want to
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Run in dry-run mode (no publish)"
+        required: false
+        default: "true"
+
+# MUSTHAVE: Trusted publisher access for both repos. 
+# NOTE: according to docs, 'test' repo accounts are ephemeral and can be wiped at any time
+env:
+  DRY_RUN:        ${{ github.event.inputs.dry_run || 'false' }}
+  pypi_main_repo: https://upload.pypi.org/legacy/
+  pypi_test_repo: https://test.pypi.org/legacy/
+
+jobs:
+
+  release:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.head_branch == 'master' || startsWith(github.event.workflow_run.head_branch, 'ci/') ) )
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/setup-semantic-release                    # node+semantic-release
+      - uses: ./.github/actions/setup                                     # poetry
+      - id: semantic-release                                              # branch policies defined in .releaserc
+        env:
+          GIT_AUTHOR_NAME: appland-release
+          GIT_AUTHOR_EMAIL: release@app.land
+          GIT_COMMITTER_NAME: appland-release
+          GIT_COMMITTER_EMAIL: release@app.land
+        run: |
+          if [ "$DRY_RUN" = "true" ]; then         
+            semantic-release --dry-run
+          else 
+            semantic-release
+          fi
+      - name: Upload wheel
+        if: env.DRY_RUN != "true"
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheel
+          path: dist/*.whl
+      - name: Upload sdist
+        if: env.DRY_RUN != "true"
+        uses: actions/upload-artifact@v4
+        with:
+          name: sdist
+          path: dist/*.tar.gz
+    outputs:  # not reused in fact
+      release_tag: ${{ steps.semantic-release.outputs.next_release_tag }}
+  
+  smoketest:
+    runs-on: ubuntu-latest
+    needs: release
+    if: env.DRY_RUN!="true"
+    steps:
+    - uses: actions/checkout@v5
+    - uses: ./.github/actions/refetch-artifacts
+    - name: dockerhub login (for seamless docker pulling)
+      uses: ./.github/actions/dockerhub-login
+      env:
+        DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+        DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME    }}
+      continue-on-error: true
+    - run: ci/run_tests.sh
+      env:
+        SMOKETEST_DOCKER_IMAGE: python:3.12-alpine
+
+  pypi:
+    name: upload release to PyPI
+    needs: ['release','smoketest']
+    if:  ((  env.DRY_RUN != "true" ) && ((github.ref_name == 'master') || startsWith(github.ref_name,"ci/")))
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/refetch-artifacts
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: ${{ github.ref_name == 'master' && env.pypi_main_repo || env.pypi_test_repo }} 

.github/workflows/release.yml

@@ -1,3 +1,11 @@
+branches:
+  - main
+  - name: develop
+    prerelease: dev
+  - name: ci
+    prerelease: ci
+  - name: feature/*
+    prerelease: rc
 plugins:
 - '@semantic-release/commit-analyzer'
 - '@semantic-release/release-notes-generator'
@@ -18,4 +26,9 @@ plugins:
     - CHANGELOG.md
     - pyproject.toml
 - - '@semantic-release/exec'
-  - publishCmd: "poetry publish --build -r <%= process.env.PYPI_PUBLISH_REPO ? process.env.PYPI_PUBLISH_REPO : 'pypi' %>"
+  - prepareCmd: poetry build
+- - '@semantic-release/github'
+  - assets:
+      - dist/*.whl
+      - dist/*.tar.gz
+    branches: master