name: Publish Python package

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

jobs:
  publish:
    runs-on: haskelseed
    steps:
      - name: Check out source
        env:
          PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
          PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
        run: |
          git clone --depth 1 \
            "https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
            repo
          cd repo
          git checkout "${{ gitea.sha }}"

      - name: Build and publish
        env:
          TWINE_USERNAME: ${{ secrets.PACKAGE_USER }}
          TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
          PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
        run: |
          cd repo
          python3 -m venv .build-venv
          . .build-venv/bin/activate
          python -m pip install --upgrade pip build twine
          python -m build
          python -m twine check dist/*
          python -m twine upload \
            --username "${TWINE_USERNAME}" \
            --password "${TWINE_PASSWORD}" \
            --non-interactive \
            --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
            dist/*