feat: seperate release build and publish jobs

kbdharun · kbdharun · commit 6a9448109561 · 2025-03-27T20:02:37.000+05:30
Signed-off-by: K.B.Dharun Krishna &lt;kbdharunkrishna@gmail.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -6,19 +6,15 @@ name: Upload Python Package
 
 on:
   release:
-    types: [created]
+    types: [published]
 
 jobs:
-  pypi-publish:
+  release-build:
     runs-on: ubuntu-latest
-
-    environment: 
-      name: pypi
-      url: https://pypi.org/project/tldr/
-
     permissions:
       contents: read
-      id-token: write # Required for accessing OpenID Connect (OIDC) token for PyPI trusted publisher
+      attestations: write # to upload assets attestation of 'dists' for build provenance
+      id-token: write # grant additional permission to attestation action to mint the OIDC token permission
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -29,40 +25,57 @@ jobs:
         python-version: '3.9'
 
     - name: Install sphinx toolset
-      run: >-
-        python -m
-        pip install
-        sphinx
-        sphinx-argparse
-        --user
+      run:
+        python -m pip install sphinx sphinx-argparse --user
 
     - name: Install tldr dependencies
-      run: >-
-        python -m
-        pip install
-        -r
-        requirements.txt
-        --user
+      run:
+        python -m pip install -r requirements.txt --user
 
     - name: Generate the manpage
       working-directory: docs
       run: make man
 
     - name: Install pep517
-      run: >-
-        python -m
-        pip install
-        pep517
-        --user
+      run:
+        python -m pip install pep517 --user
 
     - name: Build a binary wheel and a source tarball
       run: >-
-        python -m
-        pep517.build
+        python -m pep517.build
         --source
         --binary
         --out-dir dist/
         .
 
+    - name: Attest generated files
+      uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+      with:
+        subject-path: dist/
+
+    - name: Upload release distributions
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: release-dists
+        path: dist/
+
+  pypi-publish:
+    runs-on: ubuntu-latest
+    needs: ['release-build']
+    
+    environment: 
+      name: pypi
+      url: https://pypi.org/project/tldr/
+    
+    permissions:
+      id-token: write # Required for accessing OpenID Connect (OIDC) token for PyPI trusted publisher
+    
+    steps:
+    - name: Retrieve release distributions
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: release-dists
+        path: dist/
+
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
