# Publish a release to PyPI, crates.io and npmjs registry.
#
# Assumed to run as a subworkflow of .github/workflows/release.yml; specifically, as a publish job
# within `cargo-dist`.
name: "Publish"

on:
  workflow_call:
    inputs:
      plan:
        required: true
        type: string

jobs:
  crates-publish:
    name: Upload to crates.io
    runs-on: ubuntu-latest
    environment:
      name: release
    permissions:
      # For crates.io's trusted publishing.
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
        with:
          save-if: ${{ github.ref == 'refs/heads/master' }}
      - name: "Install Rust toolchain"
        run: rustup show
      - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
        id: auth
      - name: "Publish to crates.io"
        run: cargo publish --workspace --verbose
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

  pypi-publish:
    name: Upload to PyPI
    runs-on: ubuntu-latest
    environment:
      name: release
    permissions:
      # For PyPI's trusted publishing.
      id-token: write
    steps:
      - name: "Install uv"
        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          pattern: wheels-*
          path: wheels
          merge-multiple: true
      - name: Publish to PyPi
        run: uv publish -v wheels/*

  npm-publish:
    name: Upload to npmjs registry
    runs-on: ubuntu-latest
    environment:
      name: release
    permissions:
      # For npm's trusted publishing.
      id-token: write
    env:
      PLAN: ${{ inputs.plan }}
    steps:
      - name: Fetch npm packages
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          pattern: artifacts-build-global
          path: npm/
          merge-multiple: true
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: '24.x'
          registry-url: 'https://registry.npmjs.org'
      # Ensure npm 11.5.1 or later is installed
      - name: Update npm
        run: npm install -g npm@latest
      - run: |
          for release in $(echo "$PLAN" | jq --compact-output '.releases[] | select([.artifacts[] | endswith("-npm-package.tar.gz")] | any)'); do
            pkg=$(echo "$release" | jq '.artifacts[] | select(endswith("-npm-package.tar.gz"))' --raw-output)
            prerelease=$(echo "$PLAN" | jq ".announcement_is_prerelease")
            if [ "$prerelease" = "true" ]; then
              npm publish --tag beta --provenance --access public "./npm/${pkg}"
            else
              npm publish --provenance --access public "./npm/${pkg}"
            fi
          done