.github/workflows/release.yml

name: Publish packages

on:
  release:
    types: [released]

# Allow only one concurrent deployment
concurrency:
  group: "release"
  cancel-in-progress: false

jobs:
  build-package:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
            python-version: "3.x"

      - name: Install dependencies
        run: python3 -m pip install tox tox-conda

      - uses: actions/cache@v4
        with:
            key: tox|build-package|${{ runner.os }}-${{ runner.arch}}|${{ hashFiles('requirements/locks/*') }}
            path: .tox

      - name: Build package
        run: tox -e build-package

      - uses: actions/upload-artifact@v4
        with:
          name: packages
          path: dist/
          retention-days: 10
          if-no-files-found: error

  pypi-publish:
    name: Publish to PyPI
    runs-on: ubuntu-latest
    needs: build-package
    environment:
      name: release
    permissions:
      id-token: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: packages
          path: dist/

      # External actions are disabled via organization policies therefore we
      # must instead manually implement it.
      # https://docs.pypi.org/trusted-publishers/using-a-publisher/#the-manual-way
      # - name: Publish package distributions to PyPI
      #   uses: pypa/gh-action-pypi-publish@release/v1

      - uses: actions/setup-python@v5
        with:
            python-version: "3.x"

      - name: Install dependencies
        run: python -m pip install twine

      - name: Check package metadata
        run: python -m twine check --strict dist/*

      - name: Upload to PyPI
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
        run: python3 -m twine upload --disable-progress-bar --verbose --non-interactive dist/*