---

name: Release
on:
  release:
    types:
      - published

permissions:
  contents: read

jobs:
  build:
    name: Build Release Packages
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Python
        id: setup
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: '3.x'

      - name: Install build tools
        run: |
          python -m pip install --upgrade pip
          python -m pip install --upgrade build

      - name: Build packages
        run: python -m build

      - name: Save built packages as artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: packages-${{ runner.os }}-${{ steps.setup.outputs.python-version }}
          path: dist/
          if-no-files-found: error
          retention-days: 5

  publish:
    name: Upload release to PyPI
    needs: build
    runs-on: ubuntu-latest
    environment: release
    permissions:
      attestations: write
      contents: read
      id-token: write
    steps:
      - name: Download packages
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          pattern: packages-*
          path: dist
          merge-multiple: true

      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0