ci: improve beta bump and release handling (#674)

.github/workflows/bump.yml

@@ -79,15 +79,10 @@ jobs:
           if [ "${{ steps.bump-type.outputs.type }}" = "stable" ]; then
             COMMAND="hatch run bump"
           else
-            # For beta, only proceed if current version is not beta
-            if [ "${{ steps.current-version.outputs.is_beta }}" = "true" ]; then
-              echo "Current version is already beta, skipping bump"
-              echo "bumped=false" >> $GITHUB_OUTPUT
-              exit 0
-            fi
+            # For beta, we should always run the bump
             COMMAND="hatch run beta-bump"
           fi
-
+          
           # Execute the command
           if $COMMAND; then
             echo "bumped=true" >> $GITHUB_OUTPUT

.github/workflows/cd.yml

@@ -0,0 +1,84 @@
+name: cd
+
+on:
+  push:
+    tags:
+      # Stable releases (1.2.3)
+      - 'v?[0-9]+.[0-9]+.[0-9]+'
+      # Beta releases (1.2.3b0)
+      - 'v?[0-9]+.[0-9]+.[0-9]+b[0-9]+'
+
+jobs:
+  ci:
+    uses: ./.github/workflows/ci.yml  
+
+  build:
+    needs: [ci]
+    uses: ./.github/workflows/reusable-build.yml
+
+  # TODO: Test generated artifacts before releasing and publish
+
+  release:
+    needs: [ci, build]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+
+      - name: Get version from tag
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Tag version: $VERSION"
+          
+      - name: Generate release notes
+        id: release_notes
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^)
+          NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"* %s (%h)")
+          echo "RELEASE_NOTES<<EOF" >> $GITHUB_OUTPUT
+          echo "## What's Changed" >> $GITHUB_OUTPUT
+          echo "$NOTES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          
+      - name: Create GitHub Release
+        id: create_release
+        uses: softprops/action-gh-release@v2.0.1
+        with:
+          name: Version ${{ steps.get_version.outputs.version }}
+          body: ${{ steps.release_notes.outputs.RELEASE_NOTES }}
+          files: |
+            safety-linux/safety
+            safety-windows/safety.exe
+            safety-macos/safety
+            dist/*
+          prerelease: ${{ contains(steps.get_version.outputs.version, 'b') }}
+
+  publish:
+    needs: [release]
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: https://pypi.org/p/safety
+    permissions:
+      id-token: write
+    steps:
+      - name: Download dist artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/
+          verbose: true
+          print-hash: true

.github/workflows/reusable-build.yml

@@ -8,8 +8,9 @@ on:
         type: string
         default: "3.12"
       bump-command:
-        required: true
+        required: false
         type: string
+        default: ""
       branch-name:
         required: false
         type: string