argon2-cffi/.github/workflows/pypi-package.yml

---
name: Build & upload PyPI package

on:
  push:
    branches: [main]
    tags: ["*"]
  release:
    types:
      - published
  workflow_dispatch:


jobs:
  # Always build & lint package.
  build-package:
    name: Build & verify package
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      id-token: write

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
        with:
          attest-build-provenance-github: 'true'


  # Upload to Test PyPI on every commit on main.
  release-test-pypi:
    name: Publish in-dev package to test.pypi.org
    environment: release-test-pypi
    if: github.repository_owner == 'hynek' && github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    needs: build-package

    permissions:
      id-token: write

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Packages
          path: dist

      - name: Upload package to Test PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
        with:
          repository-url: https://test.pypi.org/legacy/


  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    name: Publish released package to pypi.org
    environment: release-pypi
    if: github.repository_owner == 'hynek' && github.event.action == 'published'
    runs-on: ubuntu-latest
    needs: build-package

    permissions:
      id-token: write

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Packages
          path: dist

      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0