release-pypi.yaml

name: Release to PyPi
on:
  release:
    types: [created]

env:
  AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
  AWS_REGION: us-west-2

jobs:
  upload-to-pypi:
    name: Upload to PyPi
    runs-on: ubuntu-20.04
    permissions:
      id-token: write
      contents: write
    steps:
      - uses: actions/checkout@v4
      - name: Install dependencies
        run: python3 -m pip install --upgrade pip build setuptools wheel
      - name: Build pip package
        run: python3 -m build
      - name: Authenticate GitHub workflow to AWS
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.AWS_ROLE }}
          aws-region: ${{ env.AWS_REGION }}
      - name: Fetch secrets
        run: |
          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
          echo "::add-mask::$github_token"
          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
      - name: Get Package Name
        id: get_package_name
        run: |
          echo "package_name=$(ls dist/*.whl | cut -d / -f 2)" >> $GITHUB_OUTPUT
      - name: Upload release binary
        uses: softprops/action-gh-release@v2
        with:
          files: dist/${{ steps.get_package_name.outputs.package_name }}
      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1