---
name: Build & push package to (Test-) PyPI

on:
  push:
    tags: ["*"]
  release:
    types:
      - published
  workflow_dispatch:

permissions:
  contents: read

jobs:
  release-test-pypi:
    environment: release-test-pypi
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          # Need the real pypi.org for installations.
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            test.pypi.org:443

      - uses: actions/checkout@v3
        # with:
        #   fetch-depth: 0

      - name: Build package
        run: |
          python -m pip install -U build twine wheel
          python -m build
          twine check --strict dist/*

      # Upload to Test PyPI on every pushed tag.
      - name: Publish package to TestPyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
          repository_url: https://test.pypi.org/legacy/

  release-pypi:
    environment: release-pypi
    runs-on: ubuntu-latest
    if: github.event.action == 'published'

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443

      - uses: actions/checkout@v3
        # with:
        #   fetch-depth: 0

      - name: Build package
        run: |
          python -m pip install -U build twine wheel
          python -m build
          twine check --strict dist/*

      # Upload to real PyPI on GitHub Releases.
      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          password: ${{ secrets.PYPI_API_TOKEN }}