chore: Pin GitHub Actions #105

	name: Release

	on:
	pull_request:
	types: [closed]
	branches: [main]

	defaults:
	run:
	shell: bash

	jobs:
	create-release:
	name: Create GitHub Release
	if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'version-bump')
	runs-on: ubuntu-latest
	permissions:
	contents: write
	steps:
	- name: Generate token
	id: generate-token
	uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
	with:
	app-id: ${{ vars.SDK_BOT_APP_ID }}
	private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	token: ${{ steps.generate-token.outputs.token }}

	- name: Get version from pyproject.toml
	id: get-version
	run: \|
	VERSION=$(grep '^version = ' pyproject.toml \| sed 's/version = "$.*$"/\1/')
	echo "version=$VERSION" >> $GITHUB_OUTPUT

	- name: Create Release
	uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
	with:
	tag_name: v${{ steps.get-version.outputs.version }}
	name: v${{ steps.get-version.outputs.version }}
	generate_release_notes: true
	token: ${{ steps.generate-token.outputs.token }}

	publish:
	name: Publish to PyPI
	needs: create-release
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Install uv
	uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
	- name: Build
	run: uv build
	- name: Publish
	run: uv publish

Provide feedback