refactor(ci): improve the release workflow

.github/workflows/build.yaml

@@ -10,10 +10,6 @@
 name: Build the package
 on:
   workflow_call:
-    inputs:
-      is_release_build: # To determine the context in which the build workflow is called.
-        required: true
-        type: boolean
     outputs:
       artifacts-sha256:
         description: The hash of the artifacts
@@ -43,18 +39,9 @@ jobs:
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
     - name: Check out repository
-      if: inputs.is_release_build == false
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
       with:
         fetch-depth: 0
-    # If the workflow is called for a release, we need to check out the main
-    # branch, which contains the release bump commit.
-    - name: Check out for release
-      if: inputs.is_release_build == true
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
-      with:
-        fetch-depth: 0
-        ref: main
     - name: Set up Python
       uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5 # v4.2.0
       with:
@@ -100,19 +87,11 @@ jobs:
         echo "::set-output name=artifacts-sha256::$DIGEST"
     # For now only generate artifacts for the specified OS and Python version in env variables.
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
-    - name: Upload the package artifact for debugging
-      if: inputs.is_release_build == false && matrix.python == '3.10' && matrix.os == 'ubuntu-latest'
+    - name: Upload the package artifact for debugging and release
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
       uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
       with:
-        name: debug-artifact-${{ matrix.os }}-python-${{ matrix.python }}
+        name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
         path: dist
         if-no-files-found: error
         retention-days: 1
-    - name: Upload the package artifact for release
-      if: inputs.is_release_build == true && matrix.python == '3.10' && matrix.os == 'ubuntu-latest'
-      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
-      with:
-        name: release-artifact-${{ matrix.os }}-python-${{ matrix.python }}
-        path: dist
-        if-no-files-found: error
-        retention-days: 5

.github/workflows/pull-request.yaml

@@ -57,8 +57,6 @@ jobs:
   build:
     needs: conventional-commits
     uses: ./.github/workflows/build.yaml
-    with:
-      is_release_build: false
     permissions:
       contents: read
     # If the build workflow needs to access secrets, they need to be passed using `secrets: inherit`.

.github/workflows/release.yaml

@@ -10,22 +10,21 @@ on:
 permissions:
   contents: read
 env:
-  ARTIFACT_NAME: release-artifact-ubuntu-latest-python-3.10
+  ARTIFACT_NAME: artifact-ubuntu-latest-python-3.10
   # This is the username and email for the user who commits and pushes the release
   # commit. In an organisation that should be a dedicated devops account.
   USER_NAME: jenstroeger
   USER_EMAIL: [email protected]
 
 jobs:
   check:
+    if: ${{ !startsWith(github.event.commits[0].message, 'bump:') }}
     uses: ./.github/workflows/build.yaml
-    with:
-      is_release_build: false
     permissions:
       contents: read
   bump:
     needs: check
-    if: ${{ github.ref == 'refs/heads/main' && !startsWith(github.event.commits[0].message, 'bump:') }}
+    if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -47,33 +46,22 @@ jobs:
       run: |
         pip install --upgrade pip wheel
         pip install 'commitizen ==2.32.1'
-    - name: Create changelog and bump
+    - name: Set up user
       run: |
         # Set up the GitHub user and email as author for the release commit.
         git config --global user.name $USER_NAME
         git config --global user.email $USER_EMAIL
         git config --list --global
-        # First generate the CHANGELOG diff to use as release notes.
-        mkdir -p dist
-        cz changelog --dry-run --incremental --unreleased-version "Release Notes" > dist/RELEASE_NOTES.md
-        # Update the CHANGELOG.md.
-        cz changelog
-        cz bump --yes
-        # Push the release tag.
+    - name: Create changelog and bump
+      run: cz bump --changelog --yes
+    - name: Push the release
+      run: |
         git push
         git push --tags
-    - name: Upload the Release Notes
-      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
-      with:
-        name: ${{ env.ARTIFACT_NAME }}
-        path: dist
-        if-no-files-found: error
-        retention-days: 1
+  # When triggered by the version bump commit, build the package and publish the release artifacts.
   build:
-    needs: bump
+    if: startsWith(github.event.commits[0].message, 'bump:')
     uses: ./.github/workflows/build.yaml
-    with:
-      is_release_build: true
     permissions:
       contents: read
   provenance:
@@ -102,7 +90,6 @@ jobs:
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
       with:
         fetch-depth: 0
-        ref: main
     - name: Download provenance
       uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
       with:
@@ -121,11 +108,22 @@ jobs:
         # Verify hashes by first computing hashes for the artifacts and
         # then comparing them against the hashes computed by the build job.
         echo "$ARTIFACT_HASH" | base64 -d | sha256sum --strict --check --status || exit 1
+    # Create the Release Notes using commitizen.
+    - name: Set up Python
+      uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5 # v4.2.0
+      with:
+        python-version: '3.10'
+    - name: Set up Commitizen
+      run: |
+        pip install --upgrade pip wheel
+        pip install 'commitizen ==2.32.1'
+    - name: Create Release Notes
+      run: cz changelog --dry-run $(cz version --project) > RELEASE_NOTES.md
     - name: Upload assets
       env:
         GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
       # Create the release including the artifacts and the SLSA L3 provenance.
-      run: gh release create `git describe --tags --abbrev=0` dist/* ${{ needs.provenance.outputs.attestation-name }} --notes-file dist/RELEASE_NOTES.md
+      run: gh release create `git describe --tags --abbrev=0` dist/* ${{ needs.provenance.outputs.attestation-name }} --notes-file RELEASE_NOTES.md
     # Uncomment the following steps to publish to a PyPI server.
     # At the moment PyPI does not provide a mechanism to publish
     # the provenance. So, users have to download the provenance from

pyproject.toml

@@ -84,7 +84,10 @@ line-length = 120
 # https://github.com/commitizen-tools/commitizen
 # https://commitizen-tools.github.io/commitizen/bump/
 [tool.commitizen]
-bump_message = "bump: release $current_version → $new_version"
+bump_message = """bump: release $current_version → $new_version
+
+Automatically generated by Commitizen.
+"""
 tag_format = "v$major.$minor.$patch$prerelease"
 update_changelog_on_bump = true
 version_files = [