From 9954cad7e3ca5ab2c958337c4166e6c45e47a610 Mon Sep 17 00:00:00 2001
From: almutlue <43293149+almutlue@users.noreply.github.com>
Date: Wed, 7 Aug 2024 10:52:25 +0200
Subject: [PATCH] ci:build and publish at pypi and test-pypi  (#15)

---
 .github/workflows/pypi-publish.yaml     | 40 ----------------
 .github/workflows/pypi-publish.yml      | 59 +++++++++++++++++++++++
 .github/workflows/test-pypi-publish.yml | 63 +++++++++++++++++++++++++
 3 files changed, 122 insertions(+), 40 deletions(-)
 delete mode 100644 .github/workflows/pypi-publish.yaml
 create mode 100644 .github/workflows/pypi-publish.yml
 create mode 100644 .github/workflows/test-pypi-publish.yml

diff --git a/.github/workflows/pypi-publish.yaml b/.github/workflows/pypi-publish.yaml
deleted file mode 100644
index 512fb4b..0000000
--- a/.github/workflows/pypi-publish.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-name: Publish Python Package
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  build-n-publish:
-    name: Build and publish Python 🐍 distributions 📦 to PyPI
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.9
-
-      - name: Install Poetry
-        run: |
-          pip install poetry
-          poetry self add "poetry-dynamic-versioning[plugin]"
-        # uses: snok/install-poetry@v1.1.6
-        # with:
-        #   virtualenvs-create: true
-        #   virtualenvs-in-project: true
-
-      # - name: Install dependencies
-      #   run: poetry install --no-interaction
-
-      - name: Build source and wheel archives
-        run: poetry build
-
-      - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.2.2
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_PASSWORD }}
diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
new file mode 100644
index 0000000..029a913
--- /dev/null
+++ b/.github/workflows/pypi-publish.yml
@@ -0,0 +1,59 @@
+---
+name: Publish Python Package
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  build-module:
+    name: Build and publish Python 🐍 distributions 📦 to PyPI
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5.1.1
+        with:
+          python-version: "3.9"
+
+      - name: Install Poetry
+        run: |
+          pip install poetry
+          poetry self add "poetry-dynamic-versioning[plugin]"
+
+      - name: Build source and wheel archives
+        run: poetry build
+
+      - name: Upload distributions
+      # https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
+    name: Upload release to PyPI
+    needs:
+      - build-module
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/modos_schema
+    permissions:
+      id-token: write
+      # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+    - name: Retrieve release distributions
+    # https://github.com/actions/download-artifact
+      uses: actions/download-artifact@v4.1.8
+      with:
+        name: release-dists
+        path: dist/
+    - name: Publish package distributions to PyPI
+    # https://github.com/pypa/gh-action-pypi-publish
+      uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/test-pypi-publish.yml b/.github/workflows/test-pypi-publish.yml
new file mode 100644
index 0000000..b20e653
--- /dev/null
+++ b/.github/workflows/test-pypi-publish.yml
@@ -0,0 +1,63 @@
+# Workflow following resources at:
+#  - https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-pypi
+#  - https://packaging.python.org/en/latest/tutorials/packaging-projects/#uploading-the-distribution-archives
+# Jobs are split to prevent unneccessary priviledge elevation through write permissions during building.
+
+name: Build and publish on test-pypi
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-build:
+    name: Build python wheels
+    runs-on: ubuntu-latest
+    steps:
+      # https://github.com/actions/checkout
+      - uses: actions/checkout@v4
+      - name: Set up Python
+      # https://github.com/actions/setup-python
+        uses: actions/setup-python@v5.1.1
+        with:
+          python-version: "3.9"
+
+      - name: Install Poetry
+        run: |
+          pip install poetry
+
+      - name: Build source and wheel archives
+        run: poetry build
+
+      - name: Upload distributions
+      # https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-dists
+          path: dist/
+
+  pypi-test-publish:
+    name: Upload release to PyPI Test
+    needs:
+      - test-build
+    runs-on: ubuntu-latest
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/modos_schema
+    permissions:
+      id-token: write
+      # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+    - name: Retrieve release distributions
+    # https://github.com/actions/download-artifact
+      uses: actions/download-artifact@v4.1.8
+      with:
+        name: test-dists
+        path: dist/
+    - name: Publish package distributions to TestPyPI
+    # https://github.com/pypa/gh-action-pypi-publish
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
\ No newline at end of file