From 6f9e3a05ae106eb0e9fc89125c8edbdba868f963 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sat, 28 Mar 2026 11:48:13 -0700
Subject: [PATCH 1/3] fixed github actions

---
 .github/workflows/pypi.yml           | 15 +++++++++----
 .github/workflows/release-docker.yml | 32 +++++++++++++++-------------
 .github/workflows/release.yml        | 23 ++++++++++++++++++++
 3 files changed, 51 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 874dbe2..4ce81cd 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -3,6 +3,12 @@ name: pypi-wheels
 on:
   release:
     types: [published]
+  workflow_call:
+    inputs:
+      tag:
+        description: "Release tag to package (e.g., v1.2.3)"
+        required: true
+        type: string
   workflow_dispatch:
     inputs:
       tag:
@@ -24,15 +30,16 @@ jobs:
         id: version
         shell: bash
         env:
-          INPUT_TAG: ${{ github.event.inputs.tag || '' }}
+          INPUT_TAG: ${{ inputs.tag || '' }}
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
-            TAG="${RELEASE_TAG_NAME}"
-          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
+          if [[ -n "${INPUT_TAG}" ]]; then
+            # workflow_call or workflow_dispatch with explicit tag
             TAG="${INPUT_TAG}"
+          elif [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
+            TAG="${RELEASE_TAG_NAME}"
           else
             TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
           fi
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 0fc00e7..9ac1e81 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -5,11 +5,15 @@ name: Publish Docker image
 # Triggers
 ###############################################################################
 on:
-  # 1️⃣  Traditional: run automatically when a GitHub Release is published
-  release:
-    types: [published]
+  # Called automatically by the release workflow after a successful build
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag to push (e.g. v1.2.3)"
+        required: true
+        type: string
 
-  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # Manual: "Run workflow" button or `gh workflow run`
   workflow_dispatch:
     inputs:
       tag:
@@ -19,7 +23,7 @@ on:
 
 ###############################################################################
 permissions:
-  contents: read       # needed for checkout + GH API
+  contents: read       # needed for checkout
 
 ###############################################################################
 jobs:
@@ -31,24 +35,22 @@ jobs:
 
     steps:
     # -----------------------------------------------------------------------
-    # Decide which tag we’re going to publish
+    # Decide which tag we're going to publish
     # -----------------------------------------------------------------------
     - name: Determine tag
       id: tag
       shell: bash
       env:
-        # populated only for workflow_dispatch
-        MANUAL_TAG: ${{ github.event.inputs.tag }}
-        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        # workflow_call passes tag here; workflow_dispatch may or may not
+        CALL_TAG: ${{ inputs.tag }}
       run: |
         set -euo pipefail
-        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
-          RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ -n "${MANUAL_TAG}" ]]; then
-          RAW_TAG="${MANUAL_TAG}"
+        if [[ -n "${CALL_TAG}" ]]; then
+          RAW_TAG="${CALL_TAG}"
         else
-          # manual w/o tag → ask GitHub API for latest release tag
-          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+          # workflow_dispatch without a tag → query latest release (no auth
+          # needed for public repos)
+          RAW_TAG=$(curl -sf "https://api.github.com/repos/${{ github.repository }}/releases/latest" | jq -r .tag_name)
         fi
 
         if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 37e5aaf..8851fa4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -352,6 +352,8 @@ jobs:
     name: Public GitHub Release
     needs: [linux-x64, linux-arm64, windows, macos-x64, macos-arm64]
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.version.outputs.tag }}
     permissions:
       contents: write
       id-token: write
@@ -405,3 +407,24 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: 'target/release/*'
+
+  # ──────────────── Publish Docker image ────────────────
+  publish-docker:
+    needs: [release]
+    uses: ./.github/workflows/release-docker.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    permissions:
+      contents: read
+      packages: write
+
+  # ──────────────── Publish PyPI wheels ────────────────
+  publish-pypi:
+    needs: [release]
+    uses: ./.github/workflows/pypi.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write

From af66acd18dc0ba25c64f60839ed9e9a59892d1a6 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sat, 28 Mar 2026 11:59:22 -0700
Subject: [PATCH 2/3] fixed github actions

---
 .github/workflows/pypi.yml           | 6 +++---
 .github/workflows/release-docker.yml | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 4ce81cd..2da656c 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -30,9 +30,8 @@ jobs:
         id: version
         shell: bash
         env:
-          INPUT_TAG: ${{ inputs.tag || '' }}
+          INPUT_TAG: ${{ inputs.tag || github.event.inputs.tag || '' }}
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
-          GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
           if [[ -n "${INPUT_TAG}" ]]; then
@@ -41,7 +40,8 @@ jobs:
           elif [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
             TAG="${RELEASE_TAG_NAME}"
           else
-            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+            echo "No tag provided and not a release event — cannot determine version" >&2
+            exit 1
           fi
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 9ac1e81..199dcb3 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -43,14 +43,14 @@ jobs:
       env:
         # workflow_call passes tag here; workflow_dispatch may or may not
         CALL_TAG: ${{ inputs.tag }}
+        GH_TOKEN: ${{ github.token }}
       run: |
         set -euo pipefail
         if [[ -n "${CALL_TAG}" ]]; then
           RAW_TAG="${CALL_TAG}"
         else
-          # workflow_dispatch without a tag → query latest release (no auth
-          # needed for public repos)
-          RAW_TAG=$(curl -sf "https://api.github.com/repos/${{ github.repository }}/releases/latest" | jq -r .tag_name)
+          # workflow_dispatch without a tag → query latest release
+          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
         fi
 
         if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then

From 5b51aa941d351867d2da923e58daa64713b5637d Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sat, 28 Mar 2026 12:09:28 -0700
Subject: [PATCH 3/3] fixed github actions

---
 .github/workflows/pypi.yml    | 13 +++----------
 .github/workflows/release.yml |  1 -
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 2da656c..5b36a0d 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -1,8 +1,6 @@
 name: pypi-wheels
 
 on:
-  release:
-    types: [published]
   workflow_call:
     inputs:
       tag:
@@ -31,18 +29,13 @@ jobs:
         shell: bash
         env:
           INPUT_TAG: ${{ inputs.tag || github.event.inputs.tag || '' }}
-          RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
         run: |
           set -euo pipefail
-          if [[ -n "${INPUT_TAG}" ]]; then
-            # workflow_call or workflow_dispatch with explicit tag
-            TAG="${INPUT_TAG}"
-          elif [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
-            TAG="${RELEASE_TAG_NAME}"
-          else
-            echo "No tag provided and not a release event — cannot determine version" >&2
+          if [[ -z "${INPUT_TAG}" ]]; then
+            echo "No tag provided — cannot determine version" >&2
             exit 1
           fi
+          TAG="${INPUT_TAG}"
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
             exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8851fa4..8ea626f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -424,7 +424,6 @@ jobs:
     uses: ./.github/workflows/pypi.yml
     with:
       tag: ${{ needs.release.outputs.tag }}
-    secrets: inherit
     permissions:
       contents: read
       id-token: write