zizmor/.github/workflows/release-pypi.yml

name: zizmor wheel builds for PyPI 🐍

on:
  push:
    branches:
      - main
    tags:
      - 'v*'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  linux:
    name: Build Linux wheels (manylinux)
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
        platform:
          - runner: ubuntu-24.04
            target: x86_64
            manylinux: "2_28"
          # - runner: ubuntu-24.04
          #   target: x86
          #   manylinux: "auto"
          - runner: ubuntu-24.04
            target: aarch64
            manylinux: "2_24"
          - runner: ubuntu-24.04
            target: armv7
            manylinux: "2_28"
          # - runner: ubuntu-24.04
          #   target: s390x
          #   manylinux: "2_28"
          # - runner: ubuntu-24.04
          #   target: ppc64le
          #   manylinux: "2_28"
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Build wheels
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          target: ${{ matrix.platform.target }}
          args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
          manylinux: ${{ matrix.platform.manylinux }}
      - name: Upload wheels
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: wheels-linux-${{ matrix.platform.target }}
          path: dist

  musllinux:
    name: Build Linux wheels (musllinux)
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
        platform:
          - runner: ubuntu-24.04
            target: x86_64
          # - runner: ubuntu-24.04
          #   target: x86
          - runner: ubuntu-24.04
            target: aarch64
          - runner: ubuntu-24.04
            target: armv7
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Build wheels
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          target: ${{ matrix.platform.target }}
          args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
          manylinux: musllinux_1_2
      - name: Upload wheels
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: wheels-musllinux-${{ matrix.platform.target }}
          path: dist

  windows:
    name: Build Windows wheels
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
        platform:
          - runner: windows-latest
            target: x64
          - runner: windows-latest
            target: x86
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Build wheels
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          target: ${{ matrix.platform.target }}
          args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
      - name: Upload wheels
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: wheels-windows-${{ matrix.platform.target }}
          path: dist

  macos:
    name: Build macOS wheels
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
        platform:
          - runner: macos-15
            target: x86_64
          - runner: macos-15
            target: aarch64
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Build wheels
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          target: ${{ matrix.platform.target }}
          args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
      - name: Upload wheels
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: wheels-macos-${{ matrix.platform.target }}
          path: dist

  sdist:
    name: Build source distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Build sdist
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          command: sdist
          args: --out dist --manifest-path crates/zizmor/Cargo.toml
      - name: Upload sdist
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: wheels-sdist
          path: dist

  release:
    name: Release
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/zizmor
    if: ${{ startsWith(github.ref, 'refs/tags/') }}
    needs: [linux, musllinux, windows, macos, sdist]
    permissions:
      # Use to sign the release artifacts
      id-token: write
      # Used to upload release artifacts
      contents: write
      # Used to generate artifact attestation
      attestations: write
    steps:
      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
        with:
          subject-path: 'wheels-*/*'
      - name: Publish to PyPI
        if: ${{ startsWith(github.ref, 'refs/tags/') }}
        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
        with:
          command: upload
          args: --non-interactive --skip-existing wheels-*/*