---
name: Build & maybe upload PyPI package

on:
  push:
    branches: [master, main]
    tags: ["*"]
  pull_request:
    branches: [master, main]
  release:
    types:
      - published
  workflow_dispatch:

permissions:
  contents: read
  # Needed for trusted publishing.
  id-token: write

jobs:
  # Always build & lint package.
  build-package:
    name: Build & verify package
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: hynek/build-and-inspect-python-package@v1

  # Upload to Test PyPI on every commit on main.
  release-test-pypi:
    name: Publish in-dev package to test.pypi.org
    environment: release-test-pypi
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    needs: build-package

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@v3
        with:
          name: Packages
          path: dist

      - name: Upload package to Test PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          repository-url: https://test.pypi.org/legacy/

  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    name: Publish released package to pypi.org
    environment: release-pypi
    if: github.event.action == 'published'
    runs-on: ubuntu-latest
    needs: build-package

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@v3
        with:
          name: Packages
          path: dist

      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1