feat(ci): automated release workflow

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+/.github @DisnakeDev/maintainers
+/scripts/ci @DisnakeDev/maintainers

.github/workflows/build-release.yaml

@@ -0,0 +1,227 @@
+# SPDX-License-Identifier: MIT
+
+name: Build (+ Release)
+
+# test build for commit/tag, but only upload release for tags
+on:
+  push:
+    branches:
+      - "master"
+      - 'v[0-9]+.[0-9]+.x'  # matches to backport branches, e.g. v3.6.x
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+permissions:
+  contents: read
+
+jobs:
+  # Builds sdist and wheel, runs `twine check`, and optionally uploads artifacts.
+  build:
+    name: Build package
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up environment
+        id: setup
+        uses: ./.github/actions/setup-env
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: pdm install -dG build
+
+      - name: Build package
+        run: |
+          pdm run python -m build
+          ls -la dist/
+
+      - name: Twine check
+        run: pdm run twine check --strict dist/*
+
+      - name: Show metadata
+        run: |
+          mkdir out/
+          tar -xf dist/*.tar.gz -C out/
+
+          echo -e "<details><summary>Metadata</summary>\n" >> $GITHUB_STEP_SUMMARY
+          cat out/*/PKG-INFO | sed 's/^/    /' | tee -a $GITHUB_STEP_SUMMARY
+          echo -e "\n</details>\n" >> $GITHUB_STEP_SUMMARY
+
+      - name: Upload artifact
+        # only upload artifacts when necessary
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/upload-artifact@v3
+        with:
+          name: dist
+          path: dist/
+          if-no-files-found: error
+
+
+  ### Anything below this only runs for tags ###
+
+  # Ensures that git tag and built version match.
+  validate-tag:
+    name: Validate tag
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    env:
+      GIT_TAG: ${{ github.ref_name }}
+    outputs:
+      bump_dev: ${{ steps.check-dev.outputs.bump_dev }}
+
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist/
+
+      - name: Compare sdist version to git tag
+        run: |
+          mkdir out/
+          tar -xf dist/*.tar.gz -C out/
+
+          SDIST_VERSION="$(grep "^Version:" out/*/PKG-INFO | cut -d' ' -f2-)"
+          echo "git tag: $GIT_TAG"
+          echo "sdist version: $SDIST_VERSION"
+
+          if [ "$GIT_TAG" != "v$SDIST_VERSION" ]; then
+            echo "error: git tag does not match sdist version" >&2
+            exit 1
+          fi
+
+      - name: Determine if dev version PR is needed
+        id: check-dev
+        run: |
+          BUMP_DEV=
+          # if this is a new major/minor version, create a PR later
+          if [[ "$GIT_TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then
+            BUMP_DEV=1
+          fi
+          echo "bump_dev=$BUMP_DEV" | tee -a $GITHUB_OUTPUT
+
+
+  # Creates a draft release on GitHub, and uploads the artifacts there.
+  release-github:
+    name: Create GitHub draft release
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+      - validate-tag
+    permissions:
+      contents: write  # required for creating releases
+
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist/
+
+      - name: Calculate versions
+        id: versions
+        env:
+          GIT_TAG: ${{ github.ref_name }}
+        run: |
+          # v1.2.3 -> v1-2-3 (for changelog)
+          echo "docs_version=${GIT_TAG//./-}" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844  # v0.1.15
+        with:
+          files: dist/*
+          draft: true
+          body: |
+            TBD.
+
+            **Changelog**: https://docs.disnake.dev/en/stable/whats_new.html#${{ steps.versions.outputs.docs_version }}
+            **Git history**: https://github.com/${{ github.repository }}/compare/vTODO...${{ github.ref_name }}
+
+
+  # Creates a PyPI release (using an environment which requires separate confirmation).
+  release-pypi:
+    name: Publish package to pypi.org
+    environment:
+      name: release-pypi
+      url: https://pypi.org/project/disnake/
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+      - validate-tag
+    permissions:
+      id-token: write  # this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist/
+
+      - name: Upload to pypi
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # v1.8.7
+        with:
+          print-hash: true
+
+
+  # Creates a PR to bump to an alpha version for development, if applicable.
+  create-dev-version-pr:
+    name: Create dev version bump PR
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') && needs.validate-tag.outputs.bump_dev
+    needs:
+      - validate-tag
+      - release-github
+      - release-pypi
+
+    steps:
+      # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
+      - name: Generate app token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92  # v1.8.0
+        with:
+          app_id: ${{ secrets.BOT_APP_ID }}
+          private_key: ${{ secrets.BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+          ref: master  # the PR action wants a proper base branch
+
+      - name: Set git name/email
+        env:
+          GIT_USER: ${{ vars.GIT_APP_USER_NAME }}
+          GIT_EMAIL: ${{ vars.GIT_APP_USER_EMAIL }}
+        run: |
+          git config user.name "$GIT_USER"
+          git config user.email "$GIT_EMAIL"
+
+      - name: Update version to dev
+        id: update-version
+        run: |
+          NEW_VERSION="$(python scripts/ci/versiontool.py --set dev)"
+          git commit -a -m "chore: update version to v$NEW_VERSION"
+          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5.0.2
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: auto/dev-v${{ steps.update-version.outputs.new_version }}
+          delete-branch: true
+          base: master
+          title: "chore: update version to v${{ steps.update-version.outputs.new_version }}"
+          body: |
+            Automated dev version PR.
+
+            <sub>https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}</sub>
+          labels: |
+            skip news
+            t: meta

.github/workflows/changelog.yaml

@@ -33,7 +33,7 @@ jobs:
           python-version: '3.9'
 
       - name: Install dependencies
-        run: pdm install -dG tools
+        run: pdm install -dG changelog
 
       - name: Check for presence of a Change Log fragment (only pull requests)
         # NOTE: The pull request' base branch needs to be fetched so towncrier

.github/workflows/create-release-pr.yaml

@@ -0,0 +1,81 @@
+# SPDX-License-Identifier: MIT
+
+name: Create Release PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "The new version number, e.g. `1.2.3`."
+        type: string
+        required: true
+
+permissions: {}
+
+jobs:
+  create-release-pr:
+    name: Create Release PR
+    runs-on: ubuntu-latest
+
+    env:
+      VERSION_INPUT: ${{ inputs.version }}
+
+    steps:
+      # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
+      - name: Generate app token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92  # v1.8.0
+        with:
+          app_id: ${{ secrets.BOT_APP_ID }}
+          private_key: ${{ secrets.BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+
+      - name: Set git name/email
+        env:
+          GIT_USER: ${{ vars.GIT_APP_USER_NAME }}
+          GIT_EMAIL: ${{ vars.GIT_APP_USER_EMAIL }}
+        run: |
+          git config user.name "$GIT_USER"
+          git config user.email "$GIT_EMAIL"
+
+      - name: Set up environment
+        uses: ./.github/actions/setup-env
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: pdm install -dG changelog
+
+      - name: Update version
+        run: |
+          python scripts/ci/versiontool.py --set "$VERSION_INPUT"
+          git commit -a -m "chore: update version to $VERSION_INPUT"
+
+      - name: Build changelog
+        run: |
+          pdm run towncrier build --yes --version "$VERSION_INPUT"
+          git commit -a -m "docs: build changelog"
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5.0.2
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: auto/release-v${{ inputs.version }}
+          delete-branch: true
+          title: "release: v${{ inputs.version }}"
+          body: |
+            Automated release PR, triggered by @${{ github.actor }} for ${{ github.sha }}.
+
+            ### Tasks
+            - [ ] Add changelogs from backports, if applicable.
+            - [ ] Once merged, create + push a tag.
+
+            <sub>https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}</sub>
+          labels: |
+            t: release
+          assignees: |
+            ${{ github.actor }}

.github/workflows/lint-test.yml

@@ -6,7 +6,7 @@ on:
   push:
     branches:
       - 'master'
-      - 'v[0-9]+.[0-9]+.x'  # matches to backport branches, e.g. 3.6
+      - 'v[0-9]+.[0-9]+.x'  # matches to backport branches, e.g. v3.6.x
       - 'run-ci/*'
     tags:
   pull_request:
@@ -124,10 +124,11 @@ jobs:
       run: nox -s check-manifest
 
     # This only runs if the previous steps were successful, no point in running it otherwise
-    - name: Build package
+    - name: Try building package
       run: |
-        python -m pip install -U build
-        python -m build
+        pdm install -dG build
+        pdm run python -m build
+        ls -la dist/
 
     # run the libcst parsers and check for changes
     - name: libcst codemod

.pre-commit-config.yaml

@@ -35,7 +35,7 @@ repos:
         args: [--negate]
         types: [text]
         exclude_types: [json, pofile]
-        exclude: 'changelog/|py.typed|disnake/bin/COPYING|.github/PULL_REQUEST_TEMPLATE.md|LICENSE|MANIFEST.in'
+        exclude: 'changelog/|py.typed|disnake/bin/COPYING|.github/PULL_REQUEST_TEMPLATE.md|.github/CODEOWNERS|LICENSE|MANIFEST.in'
 
   - repo: https://github.com/pycqa/isort
     rev: 5.12.0