github-make-release.yaml

---

on:
  workflow_call:

jobs:
  github-release:
    name: Sign packages and upload to GitHub releases
    runs-on: ubuntu-latest

    permissions:
      contents: write # IMPORTANT: mandatory for making GitHub Releases
      id-token: write # IMPORTANT: mandatory for sigstore

    steps:
      - name: Download dists from artifacts
        uses: actions/download-artifact@v4
        with:
          name: python-package-distributions
          path: dist/

      - name: Sign dists
        uses: sigstore/gh-action-sigstore-python@v3.0.0
        with:
          inputs: >-
            ./dist/*.tar.gz
            ./dist/*.whl

      - name: Create GitHub Release
        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
        env:
          GITHUB_TOKEN: ${{ github.token }}
        run: gh release create "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" --notes ""

      - name: Upload artifact signatures to GitHub release
        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
        env:
          GITHUB_TOKEN: ${{ github.token }}
        run: gh release upload "$GITHUB_REF_NAME" dist/** --repo "$GITHUB_REPOSITORY"