attrs/.github/workflows/pypi-package.yml

---
name: Build & push package to (Test-) PyPI

on:
  push:
    tags: ["*"]
  release:
    types:
      - published
  workflow_dispatch:

permissions:
  contents: read

jobs:
  release-test-pypi:
    environment: release-test-pypi
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && github.repository_owner == 'python-attrs'

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            test.pypi.org:443

      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: hynek/build-and-inspect-python-package@v1
        id: baipp

      # Upload to Test PyPI on every pushed tag.
      - name: Publish package to TestPyPI

        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
          repository_url: https://test.pypi.org/legacy/
          packages_dir: ${{ steps.baipp.outputs.dist }}

  release-pypi:
    environment: release-pypi
    runs-on: ubuntu-latest
    if: github.event.action == 'published' && github.repository_owner == 'python-attrs'

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443

      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: hynek/build-and-inspect-python-package@v1
        id: baipp

      # Upload to real PyPI on GitHub Releases.
      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          password: ${{ secrets.PYPI_API_TOKEN }}
          packages_dir: ${{ steps.baipp.outputs.dist }}