From ddb98aa7792b644cde8f5fd0e311662b48cde574 Mon Sep 17 00:00:00 2001
From: Stef Smeets <s.smeets@esciencecenter.nl>
Date: Mon, 17 Jun 2024 17:09:29 +0200
Subject: [PATCH] Set up trusted publishing pipeline

---
 .github/workflows/publish.yml | 55 +++++++++++++++++++++++++++++++----
 1 file changed, 49 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a421b953..4f9cd841 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,23 +5,66 @@ on:
     types: [created]
 
 jobs:
-  build:
+  fix_release_deps:
+    permissions: write-all
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4
       with:
         python-version: '3.11'
 
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip pip-tools setuptools
+
+    - name: Set configuration
+      run: |
+        git config --global user.name "${GITHUB_ACTOR}"
+        git config --global user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+
+    - name: Create requirements files
+      run: |
+        python tools/generate_requirements_txt.py
+        pip-compile -o requirements_full.txt pyproject.toml
+        git add requirements_full.txt requirements.txt
+        git commit -m "Updated requirements.txt files" || true
+
+    - name: Bump version to new tag
+      run: |
+        python -m pip install bump-my-version
+        bump-my-version bump --new-version $GITHUB_REF_NAME patch
+        git commit -am "Bump version to: $GITHUB_REF_NAME"
+
+    - name: Push back changes to main and tag
+      run: |
+        git tag --force $GITHUB_REF_NAME HEAD
+        git push --force --tags
+        git switch -C main
+        git push --set-upstream -f origin main
+
+  deploy:
+    needs: fix_release_deps
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.ref_name }}
+
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.12'
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -U build setuptools wheel
+        python -m pip install build setuptools>=61.2 wheel
         python -m build --no-isolation
 
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}