From 7bf673637166b301a0c5650256a4c8c5e4b2f738 Mon Sep 17 00:00:00 2001
From: Ryan White <ryan.white@cabinetoffice.gov.uk>
Date: Wed, 16 Oct 2024 15:58:30 +0100
Subject: [PATCH] rework ci to avoid trusted publisher limitations

---
 .github/workflows/publish.yml | 29 ++++++++---------------------
 .github/workflows/release.yml | 15 ---------------
 .github/workflows/tests.yml   | 35 ++++++++++++++++-------------------
 3 files changed, 24 insertions(+), 55 deletions(-)
 delete mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a541bfe..2e16176 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,16 +1,10 @@
 ---
 name: Publish
-run-name: Publish ${{ inputs.tag }} to PyPI
+run-name: Publish ${{ github.event.release.tag_name }} to PyPI
 
 on:
-  workflow_call:
-    inputs:
-      stage:
-        type: string
-        required: true
-      tag:
-        type: string
-        required: true
+  release:
+    types: [released]
 
 jobs:
   build-and-publish:
@@ -37,23 +31,16 @@ jobs:
           poetry install
 
       - name: Bump version number
-        run: poetry version ${{ inputs.tag }}
+        run: poetry version ${{ github.event.release.tag_name }}
 
       - name: Build package
         run: poetry build
 
-      - name: Publish to test pypi
-        if: inputs.stage == 'test'
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: 'https://test.pypi.org/legacy/'
-
       - name: Publish to prod pypi
-        if: inputs.stage == 'prod'
         uses: pypa/gh-action-pypi-publish@release/v1
 
   determine-success:
-    if: inputs.stage == 'prod' && always()
+    if: always()
     needs:
       - build-and-publish
     runs-on: ubuntu-latest
@@ -69,14 +56,14 @@ jobs:
           fi
 
   notify-slack:
-    if: inputs.stage == 'prod' && always()
+    if: always()
     uses: i-dot-ai/i-dot-ai-core-github-actions/.github/workflows/slack-notify.yml@main
     needs:
       - build-and-publish
       - determine-success
     with:
       WORKFLOW_PASSED: ${{ needs.determine-success.outputs.success == 'true' }}
-      SUCCESS_PAYLOAD: "{\"blocks\":[{\"type\":\"header\",\"text\":{\"type\":\"plain_text\",\"text\":\":airplane: ${{ github.repository }} - Successfully deployed ${{ inputs.tag }} :large_green_circle:\"}},{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"Package published to PyPI successfully\"}}]}"
-      FAILURE_PAYLOAD: "{\"blocks\":[{\"type\":\"header\",\"text\":{\"type\":\"plain_text\",\"text\":\":x: ${{ github.repository }} - Failed to deploy ${{ inputs.tag }} :x:\"}},{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"Failed to publish package to PyPI\"}}]}"
+      SUCCESS_PAYLOAD: "{\"blocks\":[{\"type\":\"header\",\"text\":{\"type\":\"plain_text\",\"text\":\":airplane: ${{ github.repository }} - Successfully deployed ${{ github.event.release.tag_name }}:large_green_circle:\"}},{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"Package published to PyPI successfully\"}}]}"
+      FAILURE_PAYLOAD: "{\"blocks\":[{\"type\":\"header\",\"text\":{\"type\":\"plain_text\",\"text\":\":x: ${{ github.repository }} - Failed to deploy ${{ github.event.release.tag_name }} :x:\"}},{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"Failed to publish package to PyPI\"}}]}"
     secrets:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 04a69b5..0000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-name: Release
-run-name: Release version ${{ github.event.release.tag_name }}
-
-on:
-  release:
-    types: [released]
-
-jobs:
-  publish:
-    name: Publish
-    uses: i-dot-ai/cruft-iai/.github/workflows/publish.yml@master
-    with: 
-      stage: prod
-      tag: ${{ github.event.release.tag_name }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 1b79791..eef3173 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,16 +1,10 @@
 name: Run tests
 on:
   push:
-  workflow_call:
 
 jobs:
-  test-code:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: ["macos-latest"]
-        python-version: ["3.12"]
-    runs-on: ${{ matrix.os }}
+  test:
+    runs-on: "macos-latest"
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -18,26 +12,29 @@ jobs:
       - name: Install poetry
         run: pipx install poetry
 
-      - name: Setup Python ${{ matrix.python-version }}
+      - name: Setup Python 3.12
         uses: actions/setup-python@v5
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.12"
           cache: "poetry"
 
       - name: Install dependencies
         run: |
-          poetry env use python
+          poetry env use "3.12"
           poetry install
 
       - name: Run Checks
         run: |
           bash scripts/test.sh --ci
 
-  test-publish:
-    if: github.event.ref_name == github.event.repository.default_branch
-    needs:
-      - test-code
-    uses: i-dot-ai/cruft-iai/.github/workflows/publish.yml@master
-    with:
-      stage: test
-      tag: "0.0.0"
+      - name: Bump version number
+        run: poetry version 0.0.0
+
+      - name: Build package
+        run: poetry build
+
+      - name: Publish to test pypi
+        if: github.ref_name == github.event.repository.default_branch
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: 'https://test.pypi.org/legacy/'