cibuildwheel.yaml

# Build wheels using cibuildwheel (https://cibuildwheel.pypa.io/)
name: build-wheels

on:
  # Run when a release has been created
  release:
    types: [created]

  # NOTE(vytas): Also allow to release to Test PyPi manually.
  workflow_dispatch:

jobs:
  build-sdist:
    # NOTE(vytas): We actually build sdist and pure-Python wheel.
    name: sdist
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Build sdist and pure-Python wheel
        env:
          FALCON_DISABLE_CYTHON: "Y"
        run: |
          pip install --upgrade pip
          pip install --upgrade build
          python -m build

      - name: Check built artifacts
        run: |
          tools/check_dist.py ${{ github.event_name == 'release' && format('-r {0}', github.ref) || '' }}

      - name: Test sdist
        run: |
          tools/test_dist.py dist/*.tar.gz

      - name: Test pure-Python wheel
        run: |
          tools/test_dist.py dist/*.whl

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: cibw-sdist
          path: dist/falcon-*

  upload-sdist:
    name: upload-sdist
    needs:
      - build-sdist
    runs-on: ubuntu-latest

    permissions:
      # NOTE(vytas): The 'contents' permission is needed for writing release assets.
      #   The default permissions seem to suffice, but we specify for clarity.
      contents: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          name: cibw-sdist
          path: dist

      - name: Check collected artifacts
        run: |
          tools/check_dist.py ${{ github.event_name == 'release' && format('-r {0}', github.ref) || '' }}

      - name: Upload sdist to release
        uses: AButler/upload-release-assets@v3.0
        if: github.event_name == 'release'
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          files: 'dist/*.tar.gz'

  publish-sdist:
    name: publish-sdist
    needs:
      - upload-sdist
    runs-on: ubuntu-latest

    permissions:
      # NOTE(vytas): This permission is mandatory for Trusted Publishing.
      id-token: write

    # APPSEC(vytas): By using as few third-party actions as possible,
    #   this job reduces its attack vector, and minimizes the risk of
    #   unauthorized access to the GitHub-backed trusted identity.
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          name: cibw-sdist
          path: dist

      # NOTE(vytas): Normally, invoking pypi-publish more than once in the
      #   same job is not considered supported, however, the two steps below
      #   are made mutually exclusive by the github.event_name condition.
      - name: Publish sdist and pure-Python wheel to TestPyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        if: github.event_name == 'workflow_dispatch'
        with:
          repository-url: https://test.pypi.org/legacy/

      - name: Publish sdist and pure-Python wheel to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        if: github.event_name == 'release'

  build-wheels:
    name: ${{ matrix.python }}-${{ matrix.platform.name }}
    needs: build-sdist
    runs-on: ${{ matrix.platform.os }}
    strategy:
      fail-fast: false
      matrix:
        platform:
          - name: manylinux_x86_64
            os: ubuntu-latest
          - name: musllinux_x86_64
            os: ubuntu-latest
          - name: manylinux_aarch64
            os: ubuntu-24.04-arm
          - name: musllinux_aarch64
            os: ubuntu-24.04-arm
          - name: manylinux_s390x
            os: ubuntu-latest
            emulation: true
          - name: macosx_arm64
            os: macos-15
          - name: win_amd64
            os: windows-latest
        python:
          - cp310
          - cp311
          - cp312
          - cp313
          - cp314
        include:
          - platform:
              name: manylinux_x86_64
              os: ubuntu-latest
            python: cp314t
          - platform:
              name: musllinux_x86_64
              os: ubuntu-latest
            python: cp314t
          - platform:
              name: manylinux_aarch64
              os: ubuntu-24.04-arm
            python: cp314t
          - platform:
              name: musllinux_aarch64
              os: ubuntu-24.04-arm
            python: cp314t

    defaults:
      run:
        shell: bash

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        if: ${{ matrix.platform.emulation }}
        with:
          platforms: all

      - name: Build wheels
        uses: pypa/cibuildwheel@v3.2.1
        env:
          # NOTE(vytas): Uncomment to test against alpha/beta CPython
          #   (usually May-July until rc1).
          # CIBW_ENABLE: cpython-prerelease

          CIBW_ARCHS_LINUX: all
          CIBW_BUILD: ${{ matrix.python }}-${{ matrix.platform.name }}

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: cibw-wheel-${{ matrix.python }}-${{ matrix.platform.name }}
          path: wheelhouse/falcon-*.whl

  check-wheels:
    name: check-wheels
    needs:
      - build-wheels
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: cibw-wheel-*
          path: dist
          merge-multiple: true

      - name: Check collected artifacts
        run: |
          tools/check_dist.py ${{ github.event_name == 'release' && format('-r {0}', github.ref) || '' }}

  publish-wheels:
    name: publish-wheels
    needs:
      - check-wheels
      - publish-sdist
    runs-on: ubuntu-latest

    permissions:
      # NOTE(vytas): This permission is mandatory for Trusted Publishing.
      id-token: write

    # APPSEC(vytas): By using as few third-party actions as possible,
    #   this job reduces its attack vector, and minimizes the risk of
    #   unauthorized access to the GitHub-backed trusted identity.
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: cibw-wheel-*
          path: dist
          merge-multiple: true

      # NOTE(vytas): Normally, invoking pypi-publish more than once in the
      #   same job is not considered supported, however, the two steps below
      #   are made mutually exclusive by the github.event_name condition.
      - name: Publish binary wheels to TestPyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        if: github.event_name == 'workflow_dispatch'
        with:
          repository-url: https://test.pypi.org/legacy/

      - name: Publish binary wheels to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        if: github.event_name == 'release'