prowler/.github/workflows/sdk-pypi-release.yml

name: 'SDK: PyPI Release'

on:
  release:
    types:
      - 'published'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.release.tag_name }}
  cancel-in-progress: false

env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
  PYTHON_VERSION: '3.12'

jobs:
  validate-release:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: read
    outputs:
      prowler_version: ${{ steps.parse-version.outputs.version }}
      major_version: ${{ steps.parse-version.outputs.major }}

    steps:
      - name: Parse and validate version
        id: parse-version
        run: |
          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
          echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          # Extract major version
          MAJOR_VERSION="${PROWLER_VERSION%%.*}"
          echo "major=${MAJOR_VERSION}" >> "${GITHUB_OUTPUT}"

          # Validate major version
          case ${MAJOR_VERSION} in
            3|4|5)
              echo "✓ Releasing Prowler v${MAJOR_VERSION} with tag ${PROWLER_VERSION}"
              ;;
            *)
              echo "::error::Unsupported Prowler major version: ${MAJOR_VERSION}"
              exit 1
              ;;
          esac

  publish-prowler:
    needs: validate-release
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      id-token: write
    environment:
      name: pypi-prowler
      url: https://pypi.org/project/prowler/${{ needs.validate-release.outputs.prowler_version }}/

    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'poetry'

      - name: Build Prowler package
        run: poetry build

      - name: Publish Prowler package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          print-hash: true

  publish-prowler-cloud:
    needs: validate-release
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      id-token: write
    environment:
      name: pypi-prowler-cloud
      url: https://pypi.org/project/prowler-cloud/${{ needs.validate-release.outputs.prowler_version }}/

    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Poetry
        run: pipx install poetry==2.1.1

      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'poetry'

      - name: Install toml package
        run: pip install toml

      - name: Replicate PyPI package for prowler-cloud
        run: |
          rm -rf ./dist ./build prowler.egg-info
          python util/replicate_pypi_package.py

      - name: Build prowler-cloud package
        run: poetry build

      - name: Publish prowler-cloud package to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          print-hash: true