From 32d3391b1a01261a6b1e3d1893844f662049cd44 Mon Sep 17 00:00:00 2001
From: Andrew Senetar <arsenetar@gmail.com>
Date: Wed, 14 Jan 2026 07:08:02 +0000
Subject: [PATCH] ci: Add ability to use trusted-publishing for PyPI

- Add Publish workflow to run on release tags to upload package to PyPI
- Add Build of packages to end of Default CI/CD workflow when on master
  branch.
---
 .github/workflows/default.yml | 22 ++++++++++++++++++++++
 .github/workflows/publish.yml | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/default.yml b/.github/workflows/default.yml
index 9eebc57..9d99612 100644
--- a/.github/workflows/default.yml
+++ b/.github/workflows/default.yml
@@ -74,3 +74,25 @@ jobs:
       - name: Run tests
         run: |
           pytest
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master'
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Set up Python 3.x
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: 3.x
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip setuptools build
+      - name: Build package
+        run: |
+          python -m build
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: dist
+          path: dist/
+          if-no-files-found: error
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..78b51b6
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,32 @@
+name: Publish
+
+on:
+  push:
+    tags: 
+      - '[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  pypi-publish:
+    name: Upload to PyPI
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
+    steps:
+      - name: Get artifact run
+        id: get_artifact_run
+        run: |
+          RUN_ID=$(gh run list --workflow "Default CI/CD" --branch master --commit "${{ github.sha }}" --status completed --limit 1 --json databaseId --jq ".[].databaseId")
+          if [ -z "$RUN_ID" ]; then
+            echo "No completed workflow run found for commit ${{ github.sha }}"
+            exit 1
+          fi
+          echo "run=$RUN_ID" >> $GITHUB_OUTPUT
+      - name: Fetch build artifacts
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: dist
+          run-id: ${{ steps.get_artifact_run.outputs.run }}
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0