ci: add release automation

Author: tbhb

.github/workflows/release.yml

@@ -0,0 +1,196 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  release:
+    types: [created, edited, published]
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  # Build distribution packages and generate SBOM
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    outputs:
+      version: "${{ steps.version.outputs.version }}"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        with:
+          python-version: "3.10"
+          enable-cache: true
+
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3.0.0
+
+      - name: Add dev version if not a PyPi build
+        if: "github.event_name == 'push' || (github.event_name == 'release' && github.event.action != 'published')"
+        run: |
+          just set-dev-version ${{ github.run_number}}
+
+      - name: Capture version
+        id: version
+        run: |
+          echo "version=$(just version)" >> "$GITHUB_OUTPUT"
+
+      - name: Build package with SBOM
+        run: just build-release
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+  # Test built package installs correctly
+  test:
+    name: "Test package (${{ matrix.os }}, Python ${{ matrix.python-version }})"
+    needs: build
+    runs-on: "${{ matrix.os }}"
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "windows-latest", "macos-latest"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14", "3.14t"]
+
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: dist
+          path: dist/
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        with:
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false # No checkout, so no dependency files to hash
+
+      - name: Install from wheel
+        run: |
+          uv venv
+          uv pip install dist/*.whl
+
+      - name: Smoke test
+        run: |
+          uv run python -c "import jsonlt; print(f'Version: {jsonlt.__version__}')"
+
+  # Publish to TestPyPI (triggered by tag push or draft release/unpublished release edit)
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs:
+      - build
+      - test
+    if: "github.event_name == 'push' || (github.event_name == 'release' && github.event.action != 'published')"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/jsonlt-python
+
+    permissions:
+      id-token: write # Trusted Publishing OIDC
+      attestations: write # Artifact attestations
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Download distributions
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: dist
+          path: dist/
+
+      - name: Generate build attestation
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: "dist/*.tar.gz,dist/*.whl"
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+        with:
+          subject-path: "dist/*.tar.gz,dist/*.whl"
+          sbom-path: dist/sbom.cdx.json
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        with:
+          python-version: "3.10"
+
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3.0.0
+
+      - name: Publish to TestPyPI
+        run: just publish-testpypi
+
+      - name: Verify TestPyPI release
+        run: just verify-testpypi ${{ needs.build.outputs.version }}
+
+  # Publish to PyPI (triggered by publishing the GitHub Release)
+  publish-pypi:
+    name: Publish to PyPI
+    needs:
+      - build
+      - test
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    environment:
+      name: pypi
+      url: https://pypi.org/p/jsonlt-python
+
+    permissions:
+      id-token: write # Trusted Publishing OIDC
+      attestations: write # Artifact attestations
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Download distributions
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: dist
+          path: dist/
+
+      - name: Generate build attestation
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: "dist/*.tar.gz,dist/*.whl"
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+        with:
+          subject-path: "dist/*.tar.gz,dist/*.whl"
+          sbom-path: dist/sbom.cdx.json
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        with:
+          python-version: "3.10"
+
+      - name: Install just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3.0.0
+
+      - name: Publish to PyPI
+        run: just publish-pypi
+
+      - name: Verify PyPi release
+        run: just verify-testpypi ${{ needs.build.outputs.version }}

Justfile

@@ -3,8 +3,10 @@ set unstable
 set positional-arguments
 
 project := "jsonlt"
-package := "jsonlt"
+package := "jsonlt-python"
+module := "jsonlt"
 pnpm := "pnpm exec"
+test_pypi_index := "https://test.pypi.org/legacy/"
 
 # List available recipes
 default:
@@ -114,11 +116,11 @@ prek-all:
   prek run --all-files
 
 # Publish to TestPyPI (requires OIDC token in CI or UV_PUBLISH_TOKEN)
-publish-testpypi: build-release
-  uv publish --publish-url https://test.pypi.org/legacy/
+publish-testpypi:
+  uv publish --publish-url {{test_pypi_index}}
 
 # Publish to PyPI (requires OIDC token in CI or UV_PUBLISH_TOKEN)
-publish-pypi: build-release
+publish-pypi:
   uv publish
 
 # Run command
@@ -137,6 +139,13 @@ run-python *args:
 sbom output="sbom.cdx.json":
   uv run --isolated --group release cyclonedx-py environment --of json -o {{output}}
 
+# Set development version (appends .devN)
+[script]
+set-dev-version number:
+  base_version="$(uv version --package {{package}} | awk '{print $2}')"
+  version="${base_version}.dev{{number}}"
+  uv version --package {{package}} "${version}"
+
 # Run tests (excludes benchmarks and slow tests by default)
 test *args:
   pytest "$@"
@@ -171,3 +180,28 @@ update-examples *args:
 # Sync Vale styles and dictionaries
 vale-sync:
   vale sync
+
+# Show the current version
+[script]
+version:
+  uv version --package {{package}} | awk '{print $2}'
+
+# Verify a PyPi release
+[script]
+verify-pypi version:
+  tmp_dir="/tmp/{{package}}-verify-pypi/venv"
+  rm -fr "${tmp_dir}"
+  mkdir -p "${tmp_dir}"
+  uv venv --directory "${tmp_dir}" --python 3.10 --no-project --no-cache
+  uv pip install --directory "${tmp_dir}" --no-cache --strict "{{package}}=={{version}}"
+  uv run --directory "${tmp_dir}" --no-project python -c "import {{module}}; print({{module}}.__version__)"
+
+# Verify a TestPyPi release
+[script]
+verify-testpypi version:
+  tmp_dir="/tmp/{{package}}-verify-testpypi/venv"
+  rm -fr "${tmp_dir}"
+  mkdir -p "${tmp_dir}"
+  uv venv --directory "${tmp_dir}" --python 3.10 --no-project --no-cache --default-index "https://test.pypi.org/simple/" --extra-index-url "https://pypi.org/simple/"
+  uv pip install --directory "${tmp_dir}" --no-cache --strict --default-index "https://test.pypi.org/simple/" --extra-index-url "https://pypi.org/simple/" "{{package}}=={{version}}"
+  uv run --directory "${tmp_dir}" --no-project python -c "import {{module}}; print({{module}}.__version__)"