name: Publish

on:
  push:
    tags: 
      - '[0-9]+.[0-9]+.[0-9]+'

jobs:
  pypi-publish:
    name: Upload to PyPI
    runs-on: ubuntu-latest
    environment: pypi
    permissions:
      # IMPORTANT: this permission is mandatory for Trusted Publishing
      id-token: write
    steps:
      - name: Get artifact run
        id: get_artifact_run
        run: |
          RUN_ID=$(gh run list --workflow "Default CI/CD" --branch master --commit "${{ github.sha }}" --status completed --limit 1 --json databaseId --jq ".[].databaseId")
          if [ -z "$RUN_ID" ]; then
            echo "No completed workflow run found for commit ${{ github.sha }}"
            exit 1
          fi
          echo "run=$RUN_ID" >> $GITHUB_OUTPUT
      - name: Fetch build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: dist
          run-id: ${{ steps.get_artifact_run.outputs.run }}
      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0