From 566e99ab1b615151d2720652086e7169cbebf134 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Thu, 5 Dec 2024 11:18:05 +0100
Subject: [PATCH] feat: use stackable and PyPA GitHub action

---
 .github/workflows/pr_pre-commit.yml |  7 +---
 .github/workflows/publish.yml       | 57 +++++++++++++++++++----------
 README.md                           | 31 ++++++----------
 3 files changed, 51 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml
index aeff880..f6a5a23 100644
--- a/.github/workflows/pr_pre-commit.yml
+++ b/.github/workflows/pr_pre-commit.yml
@@ -11,9 +11,6 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: stackabletech/actions/run-pre-commit@5901c3b1455488820c4be367531e07c3c3e82538 # v0.4.0
         with:
-          python-version: '3.12'
-      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
-        with:
-          extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}"
+          python-version: '3.13'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6eb61f3..0524083 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,3 +1,4 @@
+---
 name: Publish
 
 on:
@@ -7,25 +8,41 @@ on:
 
 jobs:
   build:
+    name: Package wheel
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.12"]
     steps:
-    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install publish dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install '.[publish]'
-    - name: Build and test wheel
-      run: |
-        rm -rf dist/
-        python -m build --sdist --wheel .
-        twine check dist/*
-    - name: Publish
-      run: |
-        twine upload  --non-interactive --verbose --username __token__ --password ${{ secrets.PYPI_API_TOKEN }} dist/*
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - name: Set up Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
+        with:
+          python-version: "3.13.0"
+      - name: Install publish dependencies
+        run: |
+          python -m pip install --upgrade pip build
+      - name: Build and test wheel
+        run: |
+          rm -rf dist/
+          python -m build --sdist --wheel .
+      - name: Store wheel
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
+        with:
+          name: image-tools-stackabletech-package
+          path: dist/
+  pypi-publish:
+    name: Upload to PyPI
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/image-tools-stackabletech
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+      - name: Download wheel
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: image-tools-stackabletech-package
+          path: dist/
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
diff --git a/README.md b/README.md
index c6bd6cc..1b411bb 100644
--- a/README.md
+++ b/README.md
@@ -155,22 +155,15 @@ pre-commit run
 
 ## Release a new version
 
-1. Create a release PR where you:
-1.1. Update the version in:
-
-* `src/image_tools/version.py`
-* `README.md` : version and pip install command.
-
-1.2. Update the CHANGELOG.
-2. Tag the release commit after it is merged to `main`.
-3. Automated GH actions will publish the new version to PyPI.
-
-To publish manually (requires PyPI credentials):
-
-Build and publish:
-
-```shell
-rm -rf dist/
-python -m build --sdist --wheel .
-twine upload dist/*
-```
+A new release involves bumping the package version and publishing it to PyPI.
+The easiest way to publish to PyPI is to allow the release GitHub action to do it for you.
+This action is also the preferred way, as it will publish a verified package using PyPI attestations.
+
+To release a new version follow the steps below:
+
+1. Create a new Git branch. For example `release-1.2.3`.
+2. Update the version string (`1.2.3`) in: `src/image_tools/version.py` and`README.md`.
+3. Commit, push and create a PR.
+4. After the PR is merged, switch to the `main` branch and update it by executing `git pull`.
+5. On the `main` branch, create and push the release tag. For example: `git tag 1.2.3 -m 1.2.3 && git push origin 1.2.3`.
+6. Done!