.github/workflows/release.yml

---
name: Release

on:
  push:
    branches:
      - main
    paths-ignore:
      - '**.md'
      - 'LICENSE'
      - '.github/dependabot.yml'
  schedule:
    # every Saturday
    - cron: '0 0 * * 6'
  workflow_dispatch:

env:
  PIP_DISABLE_PIP_VERSION_CHECK: true

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install poetry
        run: |
          pipx install poetry

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
          cache: poetry

      - name: Install Python modules
        run: |
          poetry install --without dev
          poetry run pip list

      - name: Test generator.py
        run: |
          poetry run python mtglabels/generator.py --labels-per-sheet 30 --output-dir /tmp ice

  snyk-python:
    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Snyk to check for Python vulnerabilities
        continue-on-error: true
        uses: snyk/actions/python-3.10@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk-python.sarif

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-python.sarif

  release:
    needs:
      - build
    runs-on: ubuntu-22.04
    concurrency: release
    permissions:
      id-token: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Python Semantic Release
        uses: python-semantic-release/python-semantic-release@v9.15.2
        with:
          github_token: ${{ secrets.PAT }}