From 170837e33058d04a22b029045f8ed1cbbf544e86 Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Mon, 2 Dec 2024 12:58:55 +0100
Subject: [PATCH] Fixes in the PyPI publish workflow

I separated the PyPI and Test PyPI worflows in two separate files (and
also two different GitHub environments) for ease of configuration and
security. Added better event checks (on tag push and push to master)
The publishing to Test PyPI on each merge requires another step to add a
timestamp to the version number otherwise the upload fails.
---
 .github/workflows/publish-pypi.yml      | 38 ++++-------------
 .github/workflows/publish-test-pypi.yml | 56 +++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/publish-test-pypi.yml

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 7c61675c947..574b202df09 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -1,12 +1,15 @@
-name: Publish to PyPI and TestPyPI
+name: Publish to PyPI
 
-on: push
+# Publish to PyPI when a tag is pushed
+on:
+  push:
+    tags:
+      - 'ckan-**'
 
 jobs:
   build:
     name: Build distribution
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python
@@ -22,15 +25,13 @@ jobs:
     - name: Build a binary wheel and a source tarball
       run: python3 -m build
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: python-package-distributions
         path: dist/
 
   publish-to-pypi:
     name: Publish Python distribution on PyPI
-    # Publish to PyPI when pushing a tag
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
     - build
     runs-on: ubuntu-latest
@@ -41,32 +42,9 @@ jobs:
       id-token: write
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-
-  publish-to-testpypi:
-    name: Publish Python distribution on TestPyPI
-    # Publish to Test PyPI when a pull request is merged
-    if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
-    needs:
-    - build
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://test.pypi.org/p/ckan
-    permissions:
-      id-token: write
-    steps:
-    - name: Download all the dists
-      uses: actions/download-artifact@v3
-      with:
-        name: python-package-distributions
-        path: dist/
-    - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/publish-test-pypi.yml b/.github/workflows/publish-test-pypi.yml
new file mode 100644
index 00000000000..753b37e9dfd
--- /dev/null
+++ b/.github/workflows/publish-test-pypi.yml
@@ -0,0 +1,56 @@
+name: Publish to TestPyPI
+
+# Publish to Test PyPI when a pull request is merged to master
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.9"
+    - name: Add timestamp to version number
+      run: |
+        TIMESTAMP=$(date +"%Y%m%d%H%M")
+        sed -E -i 's/__version__ = "(.*)"$/__version__ = "\1.post'$TIMESTAMP'"/' ckan/__init__.py
+    - name: Install pypa/build
+      run: >-
+        python3 -m
+        pip install
+        build
+        --user
+    - name: Build a binary wheel and a source tarball
+      run: python3 -m build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish-to-testpypi:
+    name: Publish Python distribution on TestPyPI
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/ckan
+    permissions:
+      id-token: write
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/