From d0e973ca6fe5b05ef57a35aa796c932809b1a91d Mon Sep 17 00:00:00 2001
From: Brendon Smith <bws@bws.bio>
Date: Fri, 26 Apr 2024 22:06:08 -0400
Subject: [PATCH] Use dedicated GitHub Actions job for PyPI

This project uses pypa/gh-action-pypi-publish to publish Python packages
to PyPI with an OIDC trusted publisher (6e532c6).

pypa/gh-action-pypi-publish is set up as a Docker action referencing the
Dockerfile. The downside to using the Dockerfile for the action is that
the Docker image must be built every time the action is used. This will
hopefully change in the near future if Docker images are pre-built and
pushed to a registry (pypa/gh-action-pypi-publish#230). In the meantime,
this commit will move related steps to a dedicated GitHub Actions job so
that the Docker image is not built every time GitHub Actions jobs run.

6e532c6
https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action
https://docs.pypi.org/trusted-publishers/
https://github.com/pypa/gh-action-pypi-publish
---
 .github/workflows/ci.yml | 40 ++++++++++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 211984f..88c679f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,9 +30,14 @@ jobs:
           else
             environment_name=""
           fi
-          timestamp="$(date -Iseconds)"
-          url="https://api.github.com/repos/${{ github.repository }}/deployments"
-          environment_url="$url?timestamp=$timestamp"
+          if [ "$environment_name" = "PyPI" ]; then
+            url="https://pypi.org/project/${GITHUB_REPOSITORY##*/}/"
+            environment_url="$url$GITHUB_REF_NAME/"
+          else
+            timestamp="$(date -Iseconds)"
+            url="https://api.github.com/repos/$GITHUB_REPOSITORY/deployments"
+            environment_url="$url?timestamp=$timestamp"
+          fi
           echo "environment-name=$environment_name" >>"$GITHUB_OUTPUT"
           echo "environment-url=$environment_url" >>"$GITHUB_OUTPUT"
       - name: Create annotation for deployment environment
@@ -41,9 +46,6 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     needs: [setup]
-    environment:
-      name: ${{ needs.setup.outputs.environment-name }}
-      url: ${{ needs.setup.outputs.environment-url }}&python=${{ matrix.python-version }}
     permissions:
       id-token: write
     strategy:
@@ -130,15 +132,37 @@ jobs:
         run: hatch run ${{ env.HATCH_ENV }}:coverage report
       - name: Build Python package
         run: hatch build
-      - name: Publish Python package to PyPI
+      - name: Upload Python package artifacts
         if: >
           github.ref_type == 'tag' &&
           matrix.python-version == '3.12' &&
           needs.setup.outputs.environment-name == 'PyPI'
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: error
+          name: fastenv-${{ github.ref_name }}
+          path: dist
+  pypi:
+    environment:
+      name: ${{ needs.setup.outputs.environment-name }}
+      url: ${{ needs.setup.outputs.environment-url }}
+    if: github.ref_type == 'tag' && needs.setup.outputs.environment-name == 'PyPI'
+    needs: [setup, ci]
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download Python package artifacts
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+          name: fastenv-${{ github.ref_name }}
+          path: dist
+      - name: Publish Python package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1.8
   changelog:
     if: github.ref_type == 'tag'
-    needs: [ci]
+    needs: [ci, pypi]
     permissions:
       contents: write
       pull-requests: write