diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml new file mode 100644 index 00000000..9d09bff6 --- /dev/null +++ b/.github/workflows/pypi-package.yml @@ -0,0 +1,77 @@ +--- +name: Build & push package to (Test-) PyPI + +on: + push: + branches: [main] + tags: ["*"] + pull_request: + branches: [main] + release: + types: + - published + workflow_dispatch: + +permissions: + contents: read + +jobs: + release-test-pypi: + environment: release-test-pypi + runs-on: ubuntu-latest + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && github.repository_owner == 'python-attrs' + + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + test.pypi.org:443 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - uses: hynek/build-and-inspect-python-package@v1 + id: baipp + + # Upload to Test PyPI on every pushed tag. + - name: Publish package to TestPyPI + + uses: pypa/gh-action-pypi-publish@release/v1 + with: + password: ${{ secrets.TEST_PYPI_API_TOKEN }} + repository_url: https://test.pypi.org/legacy/ + packages_dir: ${{ steps.baipp.outputs.dist }} + + release-pypi: + environment: release-pypi + runs-on: ubuntu-latest + if: github.event.action == 'published' && github.repository_owner == 'python-attrs' + + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - uses: hynek/build-and-inspect-python-package@v1 + id: baipp + + # Upload to real PyPI on GitHub Releases. + - name: Publish package to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + password: ${{ secrets.PYPI_API_TOKEN }} + packages_dir: ${{ steps.baipp.outputs.dist }}