manual-publish.yml

name: Publish Package
on:
  workflow_dispatch:
    inputs:
      dry_run:
        description: 'Is this a dry run? If so no package will be published.'
        type: boolean
        required: true

jobs:
  build-publish:
    runs-on: ubuntu-latest
    # Needed to get tokens during publishing.
    permissions:
      id-token: write
      contents: read
    outputs:
      package-hashes: ${{ steps.build.outputs.package-hashes}}
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v4
        with:
          python-version: 3.8

      - name: Install poetry
        run: pipx install poetry

      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.0
        name: 'Get PyPI token'
        with:
          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'

      - uses: ./.github/actions/build
        id: build

      - uses: ./.github/actions/publish
        with:
          token: ${{env.PYPI_AUTH_TOKEN}}
          dry_run: ${{ inputs.dry_run }}

  release-provenance:
    needs: [ 'build-publish' ]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
    with:
      base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
      upload-assets: ${{ !inputs.dry_run }}