Revamp publishing workflow

.github/workflows/publish_pypi.yml

@@ -1,38 +1,83 @@
 name: Build and publish package to PyPI
 
 on:
-  push:
-    tags:
-    - '*'
+  release:
+    types: [published]
   workflow_dispatch:
     inputs:
       target:
-        description: 'Deployment target. Can be "pypi" or "testpypi"'
-        default: "pypi"
+        description: 'Deployment target. Can be "pypi" or "testpypi", or left as blank to skip publishing. Default is blank.'
+        default: ""
 
 jobs:
-  publish_pypi:
-    name: Build wheels on ubuntu-latest
+  build:
+    name: Build sdist and wheel
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: 3.8
-      - name: Install dependencies
+          python-version: "3.x"
+
+      - name: Build distributions
+        run: pipx run build
+
+      - name: Build, inspect, and display contents of distributions
+        shell: bash
         run: |
-          python -m pip install --upgrade pip
-          pip install build
-      - name: Build package
-        run: python -m build
-      - name: Publish on PyPI
-        if: github.event.inputs.target == 'pypi'
-        uses: pypa/gh-action-pypi-publish@release/v1
+          mkdir -p output/sdist
+          tar -xf dist/*.tar.gz -C output/sdist
+
+          echo -e '## View source distribution (SDist) contents\n' >> $GITHUB_STEP_SUMMARY
+          echo -e '```\n' >> $GITHUB_STEP_SUMMARY
+          (cd output/sdist && tree -a * | sed 's/^/    /' | tee -a $GITHUB_STEP_SUMMARY)
+          echo -e '\n```\n' >> $GITHUB_STEP_SUMMARY
+
+          mkdir -p output/wheel
+          pipx run wheel unpack dist/*.whl -d output/wheel
+
+          echo -e '## View binary distribution (wheel) contents\n' >> $GITHUB_STEP_SUMMARY
+          echo -e '```\n' >> $GITHUB_STEP_SUMMARY
+          (cd output/wheel && tree -a * | sed 's/^/    /' | tee -a $GITHUB_STEP_SUMMARY)
+          echo -e '\n```\n' >> $GITHUB_STEP_SUMMARY
+
+      - name: Upload sdist and wheel artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
-      - name: Publish on TestPyPI
+          name: distributions
+          path: dist/*
+
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/bpx
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+    needs: [build]
+    if: >-
+      github.event_name == 'release' &&
+      github.event.action == 'published' ||
+      github.event_name == 'workflow_dispatch' &&
+      github.event.inputs.target == 'pypi' ||
+      github.event.inputs.target == 'testpypi'
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          path: dist
+          merge-multiple: true
+
+      - name: Upload to PyPI
+        if: github.event.inputs.target == 'pypi' || github.event_name == 'release' && github.event.action == 'published'
+        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
+        with:
+          packages-dir: dist
+
+      - name: Upload to TestPyPI
         if: github.event.inputs.target == 'testpypi'
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
         with:
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: dist