reorder workflows

Author: spoorcc

.github/workflows/build.yml

@@ -1,19 +1,18 @@
 name: Build
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    types: [opened, synchronize, reopened]
+  workflow_call:
+    inputs:
+      release_id:
+        required: true
+        type: string
 
 permissions:
   contents: read
 
 jobs:
 
   build:
-    needs: prepare-release
     strategy:
       matrix:
         platform: [ubuntu-latest, macos-latest, windows-latest]
@@ -96,6 +95,21 @@ jobs:
               build/dfetch-package/*.msi
               build/dfetch-package/*.cdx.json
 
+      - name: Upload artifacts to release
+        if: ${{ inputs.release_id }} != ''
+        uses: softprops/action-gh-release@5122b4edc95f85501a71628a57dc180a03ec7588 # v2.5.0
+        with:
+          tag_name: ${{ inputs.release_id }}
+          files: |
+              build/dfetch-package/*.deb
+              build/dfetch-package/*.rpm
+              build/dfetch-package/*.pkg
+              build/dfetch-package/*.msi
+              build/dfetch-package/*.cdx.json
+          overwrite_files: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   test-binary:
     name: test binary
     needs:

.github/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: CI & Release Orchestration
+
+on:
+  push:
+    branches:
+      - main
+      - automate-release
+    tags:
+      - '*.*.*'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+  # Allows to run this workflow manually
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  draft-release:
+    uses: ./.github/workflows/release.yml
+    permissions:
+      contents: write
+      security-events: write
+
+  build-binaries:
+    needs: draft-release
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      release_id: ${{ needs.draft-release.outputs.release_id }}
+
+  run:
+    needs: draft-release
+    uses: ./.github/workflows/run.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      release_id: ${{ needs.draft-release.outputs.release_id }}
+
+  python-publish:
+    needs: draft-release
+    uses: ./.github/workflows/python-publish.yml
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    with:
+      release_id: ${{ needs.draft-release.outputs.release_id }}

.github/workflows/docs.yml

@@ -9,17 +9,13 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+    - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
       with:
         egress-policy: audit
-
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-    - name: Install Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
-        python-version: '3.x'
+        python-version: '3.13'
 
     - name: Install documentation requirements
       run: "pip install .[docs] && pip install sphinx_design"

.github/workflows/landing-page.yml

@@ -13,17 +13,13 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
-
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
-          python-version: "3.13"
+          python-version: '3.13'
 
       - name: Install dependencies
         run: |

.github/workflows/python-publish.yml

@@ -5,12 +5,13 @@ name: Upload Python Package
 
 on:
   release:
-    types: [created]
-  pull_request:
-    types: [opened, synchronize, reopened]
+    types: [published]
 
-  # Allows to run this workflow manually
-  workflow_dispatch:
+  workflow_call:
+    inputs:
+      release_id:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -95,20 +96,20 @@ jobs:
       uses: pypa/gh-action-pypi-publish@03f86fee9ac21f854951f5c6e2a02c2a1324aec7 # v1
 
   release:
-    if: github.ref_type == 'tag'
     runs-on: ubuntu-latest
-    needs:
-    - build
-    permissions:
-      contents: write
-      security-events: write
+    if: ${{ inputs.release_id }} != ''
+    needs: build
     steps:
-    - name: Upload wheels to release
+    - name: Download all the dists
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Upload artifacts to release
       uses: softprops/action-gh-release@5122b4edc95f85501a71628a57dc180a03ec7588 # v2.5.0
       with:
-        tag_name: ${{ github.ref_name }}
-        name: ${{ github.ref_name }}
-        draft: true
-        files: dist/
+        tag_name: ${{ inputs.release_id }}
+        files: dist/*
+        overwrite_files: false
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,12 +1,7 @@
 name: Releases
 
 on:
-  push:
-    branches:
-      - main
-      - automate-release
-    tags:
-      - '*.*.*'
+  workflow_call:
 
 permissions:
   contents: read
@@ -18,23 +13,36 @@ jobs:
       contents: write
       security-events: write
 
+    outputs:
+      release_id: ${{ steps.release_info.outputs.tag }}
+
     steps:
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: '3.13'
 
       - name: Determine release info
         id: release_info
         run: |
-          if [[ "${GITHUB_REF}" == "refs/heads/automate-release" ]]; then
-            TAG="latest"
-          else
-            TAG="${GITHUB_REF#refs/tags/}"
-          fi
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
+              if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
+                BRANCH="${GITHUB_HEAD_REF}"
+              else
+                BRANCH="${GITHUB_REF#refs/heads/}"
+              fi
+
+              if [[ "$BRANCH" == "main" || "$BRANCH" == "automate-release" ]]; then
+                TAG="latest"
+              elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+                TAG="${GITHUB_REF#refs/tags/}"
+              else
+                TAG=""
+              fi
+              echo "tag=$TAG"
+              echo "tag=$TAG" >> $GITHUB_OUTPUT
 
       - name: Update latest tag
         if: github.ref == 'refs/heads/automate-release'
@@ -45,11 +53,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate release notes
+        if: ${{ steps.release_info.outputs.tag != '' }}
         id: notes
         run: |
           python script/create_release_notes.py
 
       - name: Create release
+        if: ${{ steps.release_info.outputs.tag != '' }}
         uses: softprops/action-gh-release@5122b4edc95f85501a71628a57dc180a03ec7588 # v2.5.0
         with:
           tag_name: ${{ steps.release_info.outputs.tag }}

.github/workflows/run.yml

@@ -1,11 +1,11 @@
 name: Run
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    types: [opened, synchronize, reopened]
+  workflow_call:
+    inputs:
+      release_id:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -58,7 +58,7 @@ jobs:
             dfetch update
             dfetch report
 
-  test:
+  run:
     strategy:
       matrix:
         platform: [ubuntu-latest, macos-latest, windows-latest]

.github/workflows/test.yml

@@ -14,15 +14,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
-
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: '3.13'