ci: add explicit workflow permissions (#220)

Author: darvid

.github/workflows/build.yml

@@ -33,6 +33,8 @@ jobs:
   check_event:
     name: Repo and event checks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       valid_event: ${{ steps.check.outputs.valid_event }}
     steps:
@@ -62,6 +64,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: check_event
     if: needs.check_event.outputs.valid_event == 'true'
+    permissions:
+      contents: read
     outputs:
       should_build: ${{ steps.check.outputs.should_build }}
     steps:
@@ -158,6 +162,9 @@ jobs:
     needs: [check_changes, check_event]
     if: needs.check_event.outputs.valid_event == 'true' && needs.check_changes.outputs.should_build == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -188,6 +195,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [check_changes, check_event]
     if: needs.check_event.outputs.valid_event == 'true' && needs.check_changes.outputs.should_build == 'true'
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:

.github/workflows/publish.yml

@@ -12,6 +12,9 @@ jobs:
     name: Build source distribution and wheels
     uses: ./.github/workflows/build.yml
     if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, ${{ vars.RELEASE_PR_BRANCH || 'create-pull-request' }}) && github.repository == 'darvid/python-hyperscan'
+    permissions:
+      contents: read
+      actions: write
     with:
       force_build: true
 
@@ -40,14 +43,42 @@ jobs:
       - name: List artifacts
         run: ls -R dist/
 
+      - name: Check if release is needed
+        id: release_check
+        run: |
+          # Check if HEAD already has a release version tag (prevents redundant releases)
+          if git describe --exact-match --tags HEAD --match "v*" 2>/dev/null; then
+            EXISTING_TAG=$(git describe --exact-match --tags HEAD --match "v*" 2>/dev/null)
+            echo "HEAD already tagged with release version $EXISTING_TAG, no release needed"
+            echo "should_release=false" >> $GITHUB_OUTPUT
+          else
+            # Check if there are commits since last release
+            LATEST_TAG=$(git describe --tags --abbrev=0 --match "v*" 2>/dev/null || echo "")
+            if [[ -n "$LATEST_TAG" ]]; then
+              COMMITS_COUNT=$(git rev-list ${LATEST_TAG}..HEAD --count 2>/dev/null || echo "1")
+              if [[ "$COMMITS_COUNT" -eq 0 ]]; then
+                echo "No commits since last release $LATEST_TAG, no new content to release"
+                echo "should_release=false" >> $GITHUB_OUTPUT
+              else
+                echo "Found $COMMITS_COUNT commits since $LATEST_TAG, proceeding with release"
+                echo "should_release=true" >> $GITHUB_OUTPUT
+              fi
+            else
+              echo "No previous release found, proceeding with initial release"
+              echo "should_release=true" >> $GITHUB_OUTPUT
+            fi
+          fi
+
       - name: Publish to GitHub Releases
+        if: steps.release_check.outputs.should_release == 'true'
         uses: python-semantic-release/publish-action@v9.21.1
         with:
           inputs: ./dist
           github_token: ${{ secrets.GITHUB_TOKEN }}
           tag: latest
 
       - name: Publish to PyPI
+        if: steps.release_check.outputs.should_release == 'true'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           skip-existing: true