Speed up workflow validation and releases (#11)

## Summary
- avoid duplicate package builds during release validation
- download pinned actionlint binary instead of building from source
- use cache action v5 and remove redundant pip upgrades
- let release validation and build jobs run in parallel before
publishing

## Test plan
- /opt/homebrew/bin/actionlint
- git diff --check -- .github/workflows/release.yml
.github/workflows/validate.yml

---------

Co-authored-by: Amp <amp@ampcode.com>

Author: marcleblanc2

.github/workflows/release.yml

@@ -28,10 +28,10 @@ jobs:
     uses: ./.github/workflows/validate.yml
     with:
       ref: ${{ github.event.inputs.tag || github.ref }}
+      build-package: false
 
   wheel:
     name: Build wheel
-    needs: validate
     runs-on: ubuntu-24.04
     env:
       IMPORT_NAME: src_py_lib
@@ -53,17 +53,15 @@ jobs:
           cache: pip
 
       - name: Cache uv
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.cache/uv
           key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
           restore-keys: |
             uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
 
       - name: Install build tools
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install "uv==${UV_VERSION}"
+        run: python -m pip install "uv==${UV_VERSION}"
 
       - name: Validate release inputs
         id: release
@@ -145,7 +143,6 @@ jobs:
         run: |
           python -m venv build/release/install-venv
           . build/release/install-venv/bin/activate
-          python -m pip install --upgrade pip
           python -m pip install "${{ steps.build.outputs.wheel_path }}"
           python - <<'PY'
           import os
@@ -213,22 +210,34 @@ jobs:
             ${{ steps.build.outputs.wheel_path }}
             ${{ steps.build.outputs.source_distribution_path }}
 
+  github-release:
+    name: Publish GitHub release assets
+    needs: [validate, wheel]
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Download release assets
+        uses: actions/download-artifact@v7
+        with:
+          name: src-py-lib-release
+          path: release-assets
+
       - name: Publish GitHub release assets
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          release_tag="${{ steps.release.outputs.tag }}"
-          wheel_path="${{ steps.build.outputs.wheel_path }}"
-          source_distribution_path="${{ steps.build.outputs.source_distribution_path }}"
-          wheel_checksum_path="${{ steps.build.outputs.wheel_checksum_path }}"
-          source_distribution_checksum_path="${{ steps.build.outputs.source_distribution_checksum_path }}"
-          notes_path="${{ steps.notes.outputs.path }}"
-          release_assets=(
-            "${wheel_path}"
-            "${source_distribution_path}"
-            "${wheel_checksum_path}"
-            "${source_distribution_checksum_path}"
-          )
+          release_tag="${{ github.event.inputs.tag || github.ref_name }}"
+          notes_path="$(find release-assets -name release-notes.md -print -quit)"
+          mapfile -t release_assets < <(find release-assets -type f ! -name release-notes.md | sort)
+
+          if [[ -z "${notes_path}" ]]; then
+            echo "::error title=Missing release notes::release-notes.md was not found in release artifact."
+            exit 1
+          fi
+          if [[ "${#release_assets[@]}" -eq 0 ]]; then
+            echo "::error title=Missing release assets::No release assets were downloaded."
+            exit 1
+          fi
 
           if gh release view "${release_tag}" >/dev/null 2>&1; then
             gh release edit "${release_tag}" --title "${release_tag}" --notes-file "${notes_path}"
@@ -243,7 +252,7 @@ jobs:
 
   pypi:
     name: Publish PyPI package
-    needs: wheel
+    needs: [validate, wheel]
     runs-on: ubuntu-24.04
     permissions:
       contents: read

.github/workflows/validate.yml

@@ -7,6 +7,11 @@ on:
         description: "Git ref to validate. Defaults to the caller's ref."
         required: false
         type: string
+      build-package:
+        description: "Build and smoke-test package artifacts. Release builds do this separately."
+        required: false
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -35,7 +40,7 @@ jobs:
 
       - name: Cache actionlint
         id: cache-actionlint
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.local/bin/actionlint
           key: actionlint-${{ runner.os }}-${{ runner.arch }}-${{ env.ACTIONLINT_VERSION }}
@@ -44,15 +49,22 @@ jobs:
         if: steps.cache-actionlint.outputs.cache-hit != 'true'
         run: |
           mkdir -p "${HOME}/.local/bin"
-          go install "github.com/rhysd/actionlint/cmd/actionlint@v${ACTIONLINT_VERSION}"
-          install -m 0755 "${HOME}/go/bin/actionlint" "${HOME}/.local/bin/actionlint"
+          asset="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          checksums="actionlint_${ACTIONLINT_VERSION}_checksums.txt"
+          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
+
+          curl -fsSLO "${base_url}/${asset}"
+          curl -fsSLO "${base_url}/${checksums}"
+          grep "  ${asset}$" "${checksums}" | sha256sum --check
+          tar -xzf "${asset}" -C "${HOME}/.local/bin" actionlint
+          chmod 0755 "${HOME}/.local/bin/actionlint"
 
       - name: Lint GitHub Actions
         run: |
           "${HOME}/.local/bin/actionlint"
 
       - name: Cache npm
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.npm
           key: npm-${{ runner.os }}-markdownlint-cli2-${{ env.MARKDOWNLINT_CLI2_VERSION }}
@@ -67,17 +79,15 @@ jobs:
           cache: pip
 
       - name: Cache uv
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.cache/uv
           key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
           restore-keys: |
             uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
 
       - name: Install uv
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install "uv==${UV_VERSION}"
+        run: python -m pip install "uv==${UV_VERSION}"
 
       - name: Validate lockfile
         run: uv lock --check
@@ -106,13 +116,14 @@ jobs:
           PY
 
       - name: Build wheel
+        if: inputs.build-package
         run: uv build --wheel --out-dir dist --no-create-gitignore
 
       - name: Smoke test installed wheel
+        if: inputs.build-package
         run: |
           python -m venv build/ci-venv
           . build/ci-venv/bin/activate
-          python -m pip install --upgrade pip
           python -m pip install dist/*.whl
           python - <<'PY'
           import os

pyproject.toml

@@ -10,7 +10,7 @@ dev = [
 
 [project]
 name = "src-py-lib"
-version = "0.1.2"
+version = "0.1.3"
 description = "Reusable libraries for Sourcegraph projects"
 readme = "README.md"
 requires-python = ">=3.11"