.github/workflows/release.yml

name: release

on:
  push:
    tags:
      - "v*.*.*"
    branches:
      - main

permissions:
  contents: read

jobs:
  test:
    uses: ./.github/workflows/test-release.yml
    with:
      full-matrix: true
      enabled: ${{ startsWith(github.ref, 'refs/tags') }}

  packages:
    permissions:
      attestations: write
      id-token: write
      contents: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/packages
      - name: generate build provenance
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c  # v1.4.3
        with:
          subject-path: "${{ github.workspace }}/dist/*"

  publish-pypi:
    needs:
      - test
      - packages
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: packages
          path: dist
      - name: Upload pypi.org
        if: startsWith(github.ref, 'refs/tags')
        uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
        with:
          repository-url: https://upload.pypi.org/legacy/
      - name: Upload test.pypi.org
        if: ${{ ! startsWith(github.ref, 'refs/tags') }}
        uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
        with:
          repository-url: https://test.pypi.org/legacy/

  build-distribution:
    permissions:
      attestations: write
      id-token: write
      contents: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/build-distribution
      - name: generate build provenance
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c  # v1.4.3
        with:
          subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip"

  publish-lambda-layers:
    permissions:
      contents: read
      id-token: write
    needs:
      - build-distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: build-distribution
          path: ./build
      - uses: elastic/oblt-actions/aws/auth@v1
        with:
          aws-account-id: "267093732750"
      - name: Publish lambda layers to AWS
        if: startsWith(github.ref, 'refs/tags')
        run: |
          # Convert v1.2.3 to ver-1-2-3
          VERSION=${GITHUB_REF_NAME/v/ver-}
          VERSION=${VERSION//./-}

          ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
      - uses: actions/upload-artifact@v4
        if: startsWith(github.ref, 'refs/tags')
        with:
          name: arn-file
          path: ".arn-file.md"
          if-no-files-found: error

  publish-docker:
    needs:
      - build-distribution
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      id-token: write
      contents: write
    strategy:
      fail-fast: false
      matrix:
        dockerfile: [ 'Dockerfile', 'Dockerfile.wolfi' ]
    env:
      DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

      - name: Log in to the Elastic Container registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ${{ secrets.ELASTIC_DOCKER_REGISTRY }}
          username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
          password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}

      - uses: actions/download-artifact@v4
        with:
          name: build-distribution
          path: ./build

      - name: Extract metadata (tags, labels)
        id: docker-meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
        with:
          images: ${{ env.DOCKER_IMAGE_NAME }}
          tags: |
            type=raw,value=latest,prefix=test-,enable={{is_default_branch}}
            type=semver,pattern={{version}}
          flavor: |
            suffix=${{ contains(matrix.dockerfile, 'wolfi') && '-wolfi' || '' }}

      - name: Build and push image
        id: docker-push
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75  # v6.9.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          file: ${{ matrix.dockerfile }}
          tags: ${{ steps.docker-meta.outputs.tags }}
          labels: ${{ steps.docker-meta.outputs.labels }}
          build-args: |
            AGENT_DIR=./build/dist/package/python

      - name: generate build provenance (containers)
        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c  # v1.4.3
        with:
          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
          subject-digest: ${{ steps.docker-push.outputs.digest }}
          push-to-registry: true

  github-draft:
    permissions:
      contents: write
    needs:
      - publish-lambda-layers
    if: startsWith(github.ref, 'refs/tags')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: arn-file
      - name: Create GitHub Draft Release
        run: >-
          gh release create "${GITHUB_REF_NAME}"
          --title="${GITHUB_REF_NAME}"
          --generate-notes
          --notes-file=".arn-file.md"
          --draft
        env:
          GH_TOKEN: ${{ github.token }}

  notify:
    runs-on: ubuntu-latest
    if: always()
    needs:
      - publish-lambda-layers
      - publish-pypi
      - publish-docker
      - github-draft
    steps:
      - id: check
        uses: elastic/apm-pipeline-library/.github/actions/check-dependent-jobs@current
        with:
          needs: ${{ toJSON(needs) }}
      - if: startsWith(github.ref, 'refs/tags')
        uses: elastic/oblt-actions/slack/notify-result@v1
        with:
          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
          channel-id: "#apm-agent-python"
          status: ${{ steps.check.outputs.status }}