infra: make publish-release workflow non-reusable

This seems to be needed to make sure that trusted publishing (see below link) works properly, since the readme says that it can't work from an reusable workflow. I ran into this issue when trying to build the release, the publish-release workflow was failing with a big amount of text: https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624 Relevant issues that helped to get a sense of what is happening: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing pypi/warehouse#11096 pypa/gh-action-pypi-publish#166
IRNAS · Nov 7, 2024 · f62be2e · f62be2e
1 parent 0117ecc
commit f62be2e
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 65 deletions.
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -59,15 +59,59 @@ jobs:
     with:
       checkout_ref: ${{ inputs.version }}
 
-  call-publish-release:
+  publish-release:
     needs: call-build
-    uses: ./.github/workflows/publish-release.yaml
-    with:
-      release_version: ${{ inputs.version }}
+    runs-on: ubuntu-22.04
+    environment:
+      name: pypi
+      url: https://pypi.org/p/east-tool
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+      contents: write
+
+    steps:
+      - name: Start
+        run: |
+          version_cut=$(echo "${{ inputs.version }}" | cut -c 2-)
+          echo "release_version=${{ inputs.version }}" >> $GITHUB_ENV
+          echo "release_version_cut=$version_cut" >> $GITHUB_ENV
+
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.release_version }}
+
+      - name: Get latest Changelog entry
+        id: changelog-reader
+        uses: mindsers/[email protected]
+        with:
+          version: ${{ env.release_version_cut }}
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      # You wonder how there isn't any token? east is configured to use OIDC,
+      # check on pypi under Publishing section what is that.
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      - name: Publish Release
+        if: ${{ !env.ACT }}
+        uses: softprops/[email protected]
+        with:
+          files: dist/*
+          tag_name: ${{ env.release_version }}
+          body: |
+            # Release notes
+
+            ${{ steps.changelog-reader.outputs.changes }}
 
   cleanup-on-failure:
-    # Only run cleanup if either call-build or call-publish-release fail.
-    needs: [call-build, call-publish-release]
+    # Only run cleanup if either call-build or publish-release fail.
+    needs: [call-build, publish-release]
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') }}
     runs-on: ubuntu-22.04
 

diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml