name: Release

on:
  schedule:
    - cron: '0 0 28 * *'  # Monthly auto-release
  workflow_dispatch:      # Manual trigger for quick fixes

jobs:
  release:
    if: github.repository == 'python-gitlab/python-gitlab'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    environment: pypi.org
    steps:
    - uses: actions/checkout@v3.5.0
      with:
        fetch-depth: 0
        token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
    - name: mint API token
      id: mint-token
      run: |
        resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
        oidc_token=$(jq '.value' <<< "${resp}")

        resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\":${oidc_token}}")
        api_token=$(jq '.token' <<< "${resp}" | tr -d '"')

        echo "::add-mask::${api_token}"
        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
    - name: Python Semantic Release
      uses: relekang/python-semantic-release@v7.33.2
      with:
        github_token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
        pypi_token: ${{ steps.mint-token.outputs.api-token }}