# use PyPI trusted publishing, as described here: 
# https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
name: publish to pypi

on:
  push:
    branches:
      - 'williballenthin-patch-1'
  release:
    types: [published]

#permissions:
#  contents: write

jobs:
  pypi-publish:
    runs-on: ubuntu-latest
    environment:
      name: release
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Set up Python
        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
        with:
          python-version: '3.8'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e .[build]
      - name: build package
        run: |
          python -m build
      - name: upload package artifacts
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          path: dist/*
      - name: upload package to GitHub release
        uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN}}
          file: dist/*
          tag: ${{ github.ref }}
          overwrite: true
          file_glob: true
      - name: publish package
        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
        with:
          skip-existing: true
          verbose: true
          print-hash: true