name: Build & maybe upload PyPI package

on:
  push:
  pull_request:
  release:
    types:
      - published
  workflow_dispatch:

permissions: {}

env:
  FORCE_COLOR: 1

jobs:
  # Always build & lint package.
  build-package:
    name: Build & verify package
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

      - name: Compile translations
        run: |
          pip install --upgrade pip
          pip install -r requirements.txt
          python babel_runner.py compile

      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0

  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    name: Publish to PyPI
    environment: release-pypi
    # Only run for published releases.
    if: |
      github.repository_owner == 'python'
      && github.event.action == 'published'
    runs-on: ubuntu-latest
    needs: build-package

    permissions:
      id-token: write

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: Packages
          path: dist

      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0