tantivy-py/.github/workflows/publish.yaml

name: Test & Release

on:
  release:
    types: [published]

  # pull_request:
  #   branches:
  #     - master

permissions:
  contents: read

jobs:
  linux:
    runs-on: ubuntu-latest
    permissions:
      id-token: write  # ability to mint the OIDC token permission is necessary to persist the attestation
      contents: read
      attestations: write  # persist the attestation
    strategy:
      matrix:
        platform: [ 'x86_64-unknown-linux-gnu', 'aarch64-unknown-linux-gnu' ]
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            cdn.quay.io:443
            cdn01.quay.io:443
            cdn02.quay.io:443
            cdn03.quay.io:443
            crates.io:443
            files.pythonhosted.org:443
            ghcr.io:443
            github.com:443
            index.crates.io:443
            objects.githubusercontent.com:443
            pkg-containers.githubusercontent.com:443
            pypi.org:443
            quay.io:443
            sh.rustup.rs:443
            static.crates.io:443
            static.rust-lang.org:443
            uploads.github.com:443

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
        with:
          python-version: 3.8
          architecture: x64

      - uses: PyO3/maturin-action@2c5c1560848aaa364c3545136054932db5fa27b7
        with:
          manylinux: auto
          target: ${{ matrix.platform }}
          command: build
          args: --release --sdist -o dist -i 3.8 3.9 3.10 3.11 3.12

      - name: Upload wheels
        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029  # 4.3.5
        with:
          name: wheels-linux-${{ matrix.platform }}
          path: dist

  windows:
    runs-on: windows-latest
    permissions:
      id-token: write  # ability to mint the OIDC token permission is necessary to persist the attestation
      contents: read
      attestations: write  # persist the attestation
    strategy:
      matrix:
        target: [x64]
        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
        with:
          python-version: ${{ matrix.python-version }}

      - uses: PyO3/maturin-action@2c5c1560848aaa364c3545136054932db5fa27b7
        env:
          PYO3_PYTHON: python${{ matrix.python-version }}
        with:
          command: build
          args: --release -o dist

      - name: Upload wheels
        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029  # 4.3.5
        with:
          name: wheels-windows-${{ matrix.python-version }}-${{ matrix.target }}
          path: dist

  macos:
    runs-on: macos-latest
    permissions:
      id-token: write  # ability to mint the OIDC token permission is necessary to persist the attestation
      contents: read
      attestations: write  # persist the attestation
    strategy:
      matrix:
        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
        target: ['universal2', 'x86_64-apple-darwin']
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
        with:
          python-version: ${{ matrix.python-version }}

      - name: Build wheels - ${{ matrix.target }}
        uses: PyO3/maturin-action@2c5c1560848aaa364c3545136054932db5fa27b7
        env:
          PYO3_PYTHON: python${{ matrix.python-version }}
        with:
          target: ${{ matrix.target }}
          command: build
          args: --release -o dist

      - name: Upload wheels
        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029  # 4.3.5
        with:
          name: wheels-macos-${{ matrix.python-version }}-${{ matrix.target }}
          path: dist

  python-release-github:
    runs-on: ubuntu-latest
    needs: [ macos, windows, linux ]
    permissions:
      contents: write # To add assets to a release.
      checks: write
      packages: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.1.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            uploads.github.com:443
            static.rust-lang.org:443 

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}

      - uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
        with:
          toolchain: "1.73.0"

      - name: Set up Python 3.8
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
        with:
          python-version: 3.8

      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: wheels
          pattern: wheels-*
          merge-multiple: true

      - name: Upload release binaries
        uses: alexellis/upload-assets@13926a61cdb2cb35f5fdef1c06b8b591523236d3 # 0.4.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          asset_paths: '["./wheels/tantivy-*"]'

  release-pypy:
    name: Release
    runs-on: ubuntu-latest
    needs: [ macos, windows, linux ]
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: wheels
          pattern: wheels-*
          merge-multiple: true

      - name: Publish package distributions to Test PyPI
        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
        with:
          repository-url: https://test.pypi.org/legacy/
          packages-dir: wheels/
          skip-existing: true

      - name: Publish package distributions to PyPI
        if: always()
        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
        with:
          packages-dir: wheels/
          skip-existing: true