build-pyz.yml

name: Build PYZ distribution

run-name: ${{ github.event.release.tag_name || inputs.head-ref || github.event.workflow_run.display_title }}

on:
  release:
    types:
      - published

  # release published by workflow does not trigger above event;
  # rather, we're triggered by this below
  workflow_run:
    workflows:
      - publish
    types:
      - completed

  workflow_dispatch:
    inputs:
      head-ref:
        default: ""
        required: false
        type: string
        description: Non-default changeset to build

jobs:
  setup:
    runs-on: ubuntu-latest

    outputs:
      release-sha: ${{ steps.head.outputs.release-sha }}
      can-build: ${{ steps.upstream.outputs.can-build }}

    steps:
      - name: Check upstream success
        id: upstream
        env:
          CONCLUSION: ${{ github.event.workflow_run && github.event.workflow_run.conclusion || 'na' }}
        run: |
          case "$CONCLUSION" in
            success)
              echo "upstream publish successful"
              echo "can-build=true" >> $GITHUB_OUTPUT
              ;;
            na)
              echo "no upstream workflow"
              echo "can-build=true" >> $GITHUB_OUTPUT
              ;;
            *)
              echo "::notice::upstream publish unsuccessful"
              echo "can-build=false" >> $GITHUB_OUTPUT
              ;;
          esac

      - name: Check out repository
        uses: actions/checkout@v4
        if: fromJSON(steps.upstream.outputs.can-build)
        with:
          # fetch enough that we should feasibly be able to find this changeset
          # and its subsequent tag commit (but without fetching *everything*)
          ref: ${{ github.event.workflow_run.head_branch }}
          fetch-depth: 100
          # fetch tags s.t. we can interpret ref inputs on dispatch
          fetch-tags: true

      - name: Determine HEAD
        id: head
        if: fromJSON(steps.upstream.outputs.can-build)
        env:
          HEAD_REF: ${{ inputs.head-ref }}
          RUN_SHA: ${{ github.event.workflow_run.head_sha }}
        run: |
          if [ -n "$HEAD_REF" ]
          then
            TARGET_REF="${HEAD_REF}^"
          else
            TARGET_REF="$RUN_SHA"
          fi

          HEAD="$(git log --format=%H ${TARGET_REF}.. | tail -n 1)"

          if [ -z "$HEAD" ]
          then
            echo "::error::could not find publish workflow changeset following ${TARGET_REF:0:9}"
            exit 1
          fi

          # Though we've fetched plenty of *commits* above, we can't rely on having all *tags*
          # So instead we'll query the remote.
          TAGS="$(git ls-remote --tags --refs --quiet | grep -E "^${HEAD}\s+" | awk '{print $2}' | awk -F / '{print $3}')"

          if [ -z "$TAGS" ]
          then
            echo "::error::changeset following ${TARGET_REF:0:9} does not appear to be tagged release: ${HEAD:0:9}"
            exit 1
          fi

          echo "publish workflow release SHA: $HEAD:" $TAGS

          echo "release-sha=$HEAD" >> $GITHUB_OUTPUT

  delegate:
    needs: [setup]
    uses: internet-equity/fate-pyz/.github/workflows/build-pyz.yml@0.6.8
    if: fromJSON(needs.setup.outputs.can-build)
    permissions:
      contents: write
    with:
      app-main: netrics
      app-alts: netrics.+
      app-solo: false
      head-sha: ${{ needs.setup.outputs.release-sha }}