name: Publish Python Packages

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:
    inputs:
      package:
        description: 'Package to publish (aitbc-sdk, aitbc-crypto, or all)'
        required: true
        default: 'all'
      dry_run:
        description: 'Dry run (build only, no publish)'
        required: false
        default: false
        type: boolean

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Install build dependencies
      run: |
        python -m pip install --upgrade pip
        pip install build twine

    - name: Build aitbc-crypto
      if: ${{ github.event.inputs.package == 'all' || github.event.inputs.package == 'aitbc-crypto' }}
      run: |
        cd packages/py/aitbc-crypto
        python -m build

    - name: Build aitbc-sdk
      if: ${{ github.event.inputs.package == 'all' || github.event.inputs.package == 'aitbc-sdk' }}
      run: |
        cd packages/py/aitbc-sdk
        python -m build

    - name: Check packages
      run: |
        for dist in packages/py/*/dist/*; do
          echo "Checking $dist"
          python -m twine check "$dist"
        done

    - name: Publish to PyPI
      if: ${{ github.event.inputs.dry_run != 'true' }}
      run: |
        for dist in packages/py/*/dist/*; do
          echo "Publishing $dist"
          python -m twine upload --skip-existing "$dist" || true
        done

    - name: Dry run - check only
      if: ${{ github.event.inputs.dry_run == 'true' }}
      run: |
        echo "Dry run complete - packages built and checked but not published"
        ls -la packages/py/*/dist/