name: Publish to PyPI

on:
  push:
    tags:
      - 'v*'

jobs:
  build-and-publish:
    runs-on: self-hosted

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Check tag format
        run: |
          TAG="${GITHUB_REF##refs/tags/}"
          echo "Tag: $TAG"
          if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(a[0-9]+|b[0-9]+|rc[0-9]+)?$ ]]; then
            echo "Tag does not match version pattern. Skipping."
            exit 1
          fi

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        run: |
          python -m venv venv
          source venv/bin/activate
          pip install --upgrade pip

      - name: Install dependencies
        run: |
          source venv/bin/activate
          pip install build twine

      - name: Build package
        run: |
          source venv/bin/activate
          python -m build

      - name: Publish to PyPI
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
        run: |
          source venv/bin/activate
          python -m twine upload dist/*