fixed github actions

2026-03-28 11:48:13 -07:00 · 2026-03-28 11:48:13 -07:00 · 6f9e3a05ae
commit 6f9e3a05ae
parent b14522351b
3 changed files with 51 additions and 19 deletions
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@ -3,6 +3,12 @@ name: pypi-wheels
 on:
  release:
    types: [published]
+  workflow_call:
+    inputs:
+      tag:
+        description: "Release tag to package (e.g., v1.2.3)"
+        required: true
+        type: string
  workflow_dispatch:
    inputs:
      tag:
@ -24,15 +30,16 @@ jobs:
        id: version
        shell: bash
        env:
-          INPUT_TAG: ${{ github.event.inputs.tag || '' }}
+          INPUT_TAG: ${{ inputs.tag || '' }}
          RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
-            TAG="${RELEASE_TAG_NAME}"
-          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
+          if [[ -n "${INPUT_TAG}" ]]; then
+            # workflow_call or workflow_dispatch with explicit tag
            TAG="${INPUT_TAG}"
+          elif [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
+            TAG="${RELEASE_TAG_NAME}"
          else
            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
          fi
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@ -5,11 +5,15 @@ name: Publish Docker image
 # Triggers
 ###############################################################################
 on:
-  # 1️⃣  Traditional: run automatically when a GitHub Release is published
-  release:
-    types: [published]
+  # Called automatically by the release workflow after a successful build
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag to push (e.g. v1.2.3)"
+        required: true
+        type: string

-  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # Manual: "Run workflow" button or `gh workflow run`
  workflow_dispatch:
    inputs:
      tag:
@ -19,7 +23,7 @@ on:

 ###############################################################################
 permissions:
-  contents: read       # needed for checkout + GH API
+  contents: read       # needed for checkout

 ###############################################################################
 jobs:
@ -31,24 +35,22 @@ jobs:

    steps:
    # -----------------------------------------------------------------------
-    # Decide which tag we’re going to publish
+    # Decide which tag we're going to publish
    # -----------------------------------------------------------------------
    - name: Determine tag
      id: tag
      shell: bash
      env:
-        # populated only for workflow_dispatch
-        MANUAL_TAG: ${{ github.event.inputs.tag }}
-        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        # workflow_call passes tag here; workflow_dispatch may or may not
+        CALL_TAG: ${{ inputs.tag }}
      run: |
        set -euo pipefail
-        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
-          RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ -n "${MANUAL_TAG}" ]]; then
-          RAW_TAG="${MANUAL_TAG}"
+        if [[ -n "${CALL_TAG}" ]]; then
+          RAW_TAG="${CALL_TAG}"
        else
-          # manual w/o tag → ask GitHub API for latest release tag
-          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+          # workflow_dispatch without a tag → query latest release (no auth
+          # needed for public repos)
+          RAW_TAG=$(curl -sf "https://api.github.com/repos/${{ github.repository }}/releases/latest" | jq -r .tag_name)
        fi

        if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -352,6 +352,8 @@ jobs:
    name: Public GitHub Release
    needs: [linux-x64, linux-arm64, windows, macos-x64, macos-arm64]
    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.version.outputs.tag }}
    permissions:
      contents: write
      id-token: write
@ -405,3 +407,24 @@ jobs:
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: 'target/release/*'
+
+  # ──────────────── Publish Docker image ────────────────
+  publish-docker:
+    needs: [release]
+    uses: ./.github/workflows/release-docker.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    permissions:
+      contents: read
+      packages: write
+
+  # ──────────────── Publish PyPI wheels ────────────────
+  publish-pypi:
+    needs: [release]
+    uses: ./.github/workflows/pypi.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write