From 40f0aa57e2b7bdbd8e58e88eeeff1dc63d6bbee2 Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:19:55 +0000
Subject: [PATCH 1/6] ci: update release workflow action references

---
 .github/workflows/release.yml | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e802594e9..aa34b3370 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,25 +6,22 @@ name: goreleaser
 on:
   push:
     tags:
-      - '*'
+      - "*"
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
         with:
           version: latest
           args: release --rm-dist

From 90261f34cff7928d3a00f53ed9acbbc56c040e74 Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:25:26 +0000
Subject: [PATCH 2/6] ci: trigger release workflow manually

---
 .github/workflows/release.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa34b3370..ef273c02c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,9 +4,12 @@
 name: goreleaser
 
 on:
-  push:
-    tags:
-      - "*"
+  workflow_dispatch:
+    inputs:
+      prerelease:
+        description: If set, publish this as a release candidate / prerelease version.
+        type: boolean
+        required: true
 
 jobs:
   release:

From 63ffeb88750b9de088b5a5b7121bad10b7e2220e Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:25:42 +0000
Subject: [PATCH 3/6] ci: configure goreleaser to create draft GitHub releases

---
 .goreleaser.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index c9cd838f8..9e965172d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -81,7 +81,6 @@ builds:
     main: ./cmd/jsonnet-deps
     binary: jsonnet-deps
 
-
 archives:
   - name_template: >-
       {{- .ProjectName }}_
@@ -94,6 +93,10 @@ archives:
 checksum:
   name_template: "checksums.txt"
 
+release:
+  draft: true
+  skip_upload: false
+
 nfpms:
   - id: jsonnet
     package_name: jsonnet-go
@@ -145,7 +148,7 @@ nfpms:
           # See: https://packages.ubuntu.com/jsonnet
           - jsonnet-lint
   - id: jsonnet-deps
-    package_name:  jsonnet-deps-go
+    package_name: jsonnet-deps-go
     builds:
       - jsonnet-deps
     homepage: https://github.com/google/go-jsonnet

From 6f82698b7db1b8da1873d967fb6a4d01cb1c5c41 Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:25:58 +0000
Subject: [PATCH 4/6] ci: copy the publish-python.yml workflow from C++ jsonnet

---
 .github/workflows/publish-python.yml | 108 +++++++++++++++++++++++++++
 pyproject.toml                       |   3 +
 2 files changed, 111 insertions(+)
 create mode 100644 .github/workflows/publish-python.yml
 create mode 100644 pyproject.toml

diff --git a/.github/workflows/publish-python.yml b/.github/workflows/publish-python.yml
new file mode 100644
index 000000000..bba8cab13
--- /dev/null
+++ b/.github/workflows/publish-python.yml
@@ -0,0 +1,108 @@
+name: Build and Publish Python Package
+
+# Be very careful granting extra permissions here, as this workflow uses third party actions.
+# Prefer to pin to exact commits for third-party actions. I'm making an exception for actions
+# maintained by GitHub itself.
+
+# For now, just trigger this workflow manually.
+on:
+  workflow_dispatch:
+    inputs:
+      upload_to_pypi:
+        description: "Upload generate package files to PyPI"
+        required: true
+        type: boolean
+      pypi_environment:
+        description: "Which PyPI instance to publish to"
+        required: true
+        type: choice
+        options:
+          - testpypi
+          - pypi
+
+jobs:
+  build_sdist:
+    name: Build Python sdist
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: "pip"
+
+      - run: pip install 'build==1.2.2'
+
+      - name: Build sdist
+        run: python3 -m build --sdist
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: sdist
+          path: ./dist/*.gz
+          if-no-files-found: error
+
+  build_wheels:
+    name: Build wheels on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        #os: [ubuntu-22.04, windows-latest, macos-latest]
+        os: [ubuntu-22.04, windows-latest]
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build wheels
+        uses: pypa/cibuildwheel@ee63bf16da6cddfb925f542f2c7b59ad50e93969 # v2.22.0
+        env:
+          # Skip PyPy, 32-bit Windows, 32-bit Linux, and CPython before 3.9.
+          # See https://cibuildwheel.readthedocs.io/en/stable/options/#examples_1
+          CIBW_SKIP: "*-win32 pp* *-manylinux_i686 *-musllinux_i686 cp36-* cp37-* cp38-*"
+          CIBW_TEST_COMMAND: >
+            python {package}/python/_jsonnet_test.py
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: cibw-wheels-${{ matrix.os }}
+          path: ./wheelhouse/*.whl
+          if-no-files-found: error
+
+  upload_to_pypi:
+    name: "Upload packages to PyPI"
+    needs: [build_sdist, build_wheels]
+    runs-on: ubuntu-24.04
+    if: "${{ inputs.upload_to_pypi }}"
+    permissions:
+      contents: read
+      id-token: write # Needed for PyPI Trusted Publishing
+    environment:
+      name: "${{ inputs.pypi_environment }}"
+      url: "${{ inputs.pypi_environment == 'pypi' && 'https://pypi.org/p/gosonnet' || 'https://test.pypi.org/p/gosonnet' }}"
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: cibw-wheels
+          pattern: cibw-wheels-*
+      - uses: actions/download-artifact@v4
+        with:
+          path: sdist
+          name: sdist
+      - name: Flatten wheels to one directory
+        run: |
+          mkdir dist
+          find cibw-wheels/ -type f -name '*.whl' -exec mv '{}' ./dist/ ';'
+          find sdist/ -type f -name '*.gz' -exec mv '{}' ./dist/ ';'
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+        with:
+          verbose: true
+          print-hash: true
+          repository-url: "${{ inputs.pypi_environment == 'testpypi' && 'https://test.pypi.org/legacy/' || '' }}"
diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 000000000..fed528d4a
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"

From e04e807f4e2d21e8d44e1ff0aaf1fd7f043e66d0 Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:32:07 +0000
Subject: [PATCH 5/6] ci: run build-and-test on pushes to prepare-release
 branch

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 00dee0410..144eaacdc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,7 @@ on:
   push:
     branches:
       - master
+      - prepare-release
 jobs:
   test:
     name: Test go${{ matrix.goVersion}}.x ${{ matrix.goArch }}

From 579361c1b5eb4faa3826887ff99b0f6cf6279cc5 Mon Sep 17 00:00:00 2001
From: John Bartholomew <jpa.bartholomew@gmail.com>
Date: Sat, 22 Feb 2025 17:35:46 +0000
Subject: [PATCH 6/6] ci: update versions of referenced github actions in
 ci.yml

---
 .github/workflows/ci.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 144eaacdc..c9382a4b1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,10 @@ on:
     branches:
       - master
       - prepare-release
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test go${{ matrix.goVersion}}.x ${{ matrix.goArch }}
@@ -38,8 +42,8 @@ jobs:
             SKIP_PYTHON_BINDINGS_TESTS: "0"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.goVersion }}
       - run: sudo apt install python3-dev python3-setuptools
@@ -56,8 +60,8 @@ jobs:
     name: bazel test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.cache/bazel
@@ -70,7 +74,7 @@ jobs:
     name: Check all
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - run: sudo apt install python3-dev python3-setuptools
       - run: pip install -U wheel
       - run: pip install -U pytest setuptools
@@ -92,7 +96,7 @@ jobs:
     name: Goreleaser
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: goreleaser/goreleaser-action@v2
+      - uses: actions/checkout@v4
+      - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
         with:
           args: release --snapshot --skip=publish --clean