build_zipapp.yml

name: Build zipapp

# run on push for setup/testing
on:
  release:
    types: [published]

permissions: {}

jobs:
  build:
    name: Build zipapp
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        fetch-depth: 0
        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: "3.14"  # Build with 3.14 to ensure reannotate is included
    - name: Build the Zipapp
      run: >-
        python3 scripts/build_zipapp.py
    - name: Store the built zipapp
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: pythonfinder-zipapp
        path: dist/

  add-to-github-release:
    name: >-
      Sign the zipapp with Sigstore
      and upload it to GitHub Release
    needs:
    - build
    runs-on: ubuntu-latest

    permissions:
      contents: write  # IMPORTANT: mandatory for making GitHub Releases
      id-token: write  # IMPORTANT: mandatory for sigstore

    steps:
    - name: Download the zipapp
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: pythonfinder-zipapp
        path: dist/
    - name: Sign the zipapp with Sigstore
      uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc # v3.3.0
      with:
        release-signing-artifacts: false
        inputs: >-
          ./dist/*.pyz
    - name: Upload artifact signature to GitHub Release
      env:
        GITHUB_TOKEN: ${{ github.token }}
      shell: bash
      # Upload to GitHub Release using the `gh` CLI.
      # `dist/` contains the built packages, and the
      # sigstore-produced signatures and certificates.
      run: >-
        gh release upload
        "${GITHUB_REF_NAME}" dist/**
        --repo "${GITHUB_REPOSITORY}"