ci(workflows): fix duplicate release, and use changelog for release notes

owenthcarey · owenthcarey · commit 1cd5393e7bf2 · 2026-03-05T03:19:47.000-08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,17 +3,19 @@ name: Release
 on:
   push:
     branches: [main]
+  release:
+    types: [published]
   workflow_dispatch:
 
 # ┌─────────────────────────────────────────────────────────────────┐
 # │ DRAFT_RELEASE                                                   │
 # │                                                                 │
-# │  "true"  → GitHub Releases are created as drafts and PyPI       │
-# │            publishing is skipped (burn-in / review period).     │
-# │  "false" → GitHub Releases are published immediately and the    │
-# │            package is uploaded to PyPI.                         │
+# │  "true"  → GitHub Releases are created as drafts; review them   │
+# │            on GitHub, then click "Publish" to trigger PyPI.     │
+# │  "false" → GitHub Releases are published immediately, which     │
+# │            automatically triggers the PyPI publish job.         │
 # │                                                                 │
-# │ Flip to "false" once you have verified the release output.      │
+# │ Flip to "false" once you are comfortable with the pipeline.     │
 # └─────────────────────────────────────────────────────────────────┘
 env:
   DRAFT_RELEASE: "true"
@@ -22,9 +24,7 @@ jobs:
   release:
     name: Semantic Release
     runs-on: ubuntu-latest
-    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      !startsWith(github.event.head_commit.message, 'chore(release):')
+    if: github.event_name != 'release'
     concurrency:
       group: release
       cancel-in-progress: false
@@ -51,11 +51,21 @@ jobs:
         uses: python-semantic-release/python-semantic-release@v9
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          vcs_release: "false"
 
       - name: Build package
         if: steps.release.outputs.released == 'true'
         run: python -m build
 
+      - name: Extract changelog for this release
+        if: steps.release.outputs.released == 'true'
+        id: changelog
+        run: |
+          TAG="${{ steps.release.outputs.tag }}"
+          VER="${TAG#v}"
+          # Extract the section between this version's header and the next
+          awk "/^## v${VER//./\\.} /{found=1; next} /^## v[0-9]/{if(found) exit} found" CHANGELOG.md > /tmp/release_notes.md
+
       - name: Create GitHub Release
         if: steps.release.outputs.released == 'true'
         env:
@@ -67,11 +77,39 @@ jobs:
           gh release create "${{ steps.release.outputs.tag }}" \
             ${DRAFT_FLAG:-} \
             --title "${{ steps.release.outputs.tag }}" \
-            --generate-notes \
+            --notes-file /tmp/release_notes.md \
             dist/*
 
-      - name: Publish to PyPI
+      - name: Publish to PyPI (non-draft)
         if: steps.release.outputs.released == 'true' && env.DRAFT_RELEASE != 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           skip-existing: true
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install build tools
+        run: python -m pip install -U pip build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
