.github/workflows/release.yml

name: release

on:
  push:
    tags:
      - "v*.*.*"

permissions:
  contents: read

jobs:
  test:
    uses: ./.github/workflows/test.yml
    with:
      full-matrix: true

  packages:
    uses: ./.github/workflows/packages.yml

  publish-pypi:
    needs:
      - test
      - packages
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: packages
          path: dist
      - name: Upload
        uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf
        with:
          repository-url: https://upload.pypi.org/legacy/

  build-distribution:
    uses: ./.github/workflows/build-distribution.yml

  publish-lambda-layers:
    needs:
      - build-distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/vault-action@v2.8.0
        with:
          url: ${{ secrets.VAULT_ADDR }}
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          secrets: |
            secret/observability-team/ci/service-account/apm-agent-python access_key_id | AWS_ACCESS_KEY_ID ;
            secret/observability-team/ci/service-account/apm-agent-python secret_access_key | AWS_SECRET_ACCESS_KEY
      - uses: actions/download-artifact@v4
        with:
          name: build-distribution
          path: ./build
      - name: Publish lambda layers to AWS
        run: |
          # Convert v1.2.3 to ver-1-2-3
          VERSION=${GITHUB_REF_NAME/v/ver-}
          VERSION=${VERSION//./-}

          ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
      - uses: actions/upload-artifact@v4
        with:
          name: arn-file
          path: ".arn-file.md"
          if-no-files-found: error

  publish-docker:
    needs:
      - build-distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
        with:
          registry: docker.elastic.co
          secret: secret/observability-team/ci/docker-registry/prod
          url: ${{ secrets.VAULT_ADDR }}
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
      - uses: actions/download-artifact@v4
        with:
          name: build-distribution
          path: ./build
      - id: setup-docker
        name: Set up docker variables
        run: |-
          # version without v prefix (e.g. 1.2.3)
          echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
          echo "name=docker.elastic.co/observability/apm-agent-python" >> "${GITHUB_OUTPUT}"
      - name: Docker build
        run: >-
          docker build
          -t ${{ steps.setup-docker.outputs.name }}:${{ steps.setup-docker.outputs.tag }}
          --build-arg AGENT_DIR=./build/dist/package/python
          .
      - name: Docker retag
        run: >-
          docker tag
          ${{ steps.setup-docker.outputs.name }}:${{ steps.setup-docker.outputs.tag }}
          ${{ steps.setup-docker.outputs.name }}:latest
      - name: Docker push
        run: |-
          docker push ${{ steps.setup-docker.outputs.name }}:${{ steps.setup-docker.outputs.tag }}
          docker push ${{ steps.setup-docker.outputs.name }}:latest

  github-draft:
    permissions:
      contents: write
    needs:
      - publish-lambda-layers
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: arn-file
      - name: Create GitHub Draft Release
        run: >-
          gh release create "${GITHUB_REF_NAME}"
          --title="${GITHUB_REF_NAME}"
          --generate-notes
          --notes-file=".arn-file.md"
          --draft
        env:
          GH_TOKEN: ${{ github.token }}

  notify:
    runs-on: ubuntu-latest
    if: always()
    needs:
      - publish-lambda-layers
      - publish-pypi
      - publish-docker
      - github-draft
    steps:
      - id: check
        uses: elastic/apm-pipeline-library/.github/actions/check-dependent-jobs@current
        with:
          needs: ${{ toJSON(needs) }}
      - uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
        with:
          status: ${{ steps.check.outputs.status }}
          vaultUrl: ${{ secrets.VAULT_ADDR }}
          vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
          vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
          slackChannel: "#apm-agent-python"