Update publishing workflow

devinslick · devinslick · commit 0fbe556cefc1 · 2025-11-01T13:39:43.000-05:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,14 +1,25 @@
+```yaml
 name: Publish Python Package
 
-# 1. Trigger the workflow when a new GitHub Release is published
+# Trigger on:
+#  - pushes to any branch (we'll publish to TestPyPI for non-main branches and to PyPI for main)
+#  - published GitHub Releases (keep existing behavior for canonical releases)
 on:
+  push:
+    branches: ["**"]
   release:
     types: [published]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build_sdist_and_wheel:
     name: Build distribution 📦
     runs-on: ubuntu-latest
+    outputs:
+      dist-path: ${{ steps.upload.outputs.artifact-path }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -18,70 +29,70 @@ jobs:
         with:
           python-version: "3.x"
 
-      # Install the 'build' tool, which creates the distribution files
-      - name: Install build dependencies
-        run: python -m pip install build
+      - name: Install build tooling
+        run: python -m pip install --upgrade pip build
 
-      # Create source and wheel distribution archives in the 'dist/' directory
       - name: Build distributions
-        run: python -m build
+        run: python -m build --sdist --wheel
 
-      # Store the built artifacts for the next jobs to download
       - name: Upload distribution artifacts
+        id: upload
         uses: actions/upload-artifact@v4
         with:
           name: python-package-distributions
           path: dist/
 
-  # --- PyPI Release Job (Secure, using OIDC) ---
-  pypi_publish:
-    name: Publish to PyPI
-    needs: [build_sdist_and_wheel] # Ensure the build job succeeds first
+  # Publish from pushes to non-main branches -> TestPyPI
+  publish_testpypi:
+    name: Publish to TestPyPI (branches except main)
     runs-on: ubuntu-latest
-    # Only publish to PyPI for full releases (not pre-releases)
-    if: github.event.release.prerelease == false
-    
-    # 2. Use the environment name you configured in PyPI (Optional, but recommended)
-    environment: pypi 
-    
-    # 3. CRITICAL: This is the mandatory permission for Trusted Publishers (OIDC)
+    needs: build_sdist_and_wheel
+    # Only run for pushes (not releases) and only for branches that are NOT main
+    if: |
+      github.event_name == 'push' &&
+      startsWith(github.ref, 'refs/heads/') &&
+      github.ref != 'refs/heads/main'
+    environment: testpypi
     permissions:
-      id-token: write 
-      contents: read # Required to read the repository contents
+      id-token: write
+      contents: read
 
     steps:
-      - name: Download all the dists
+      - name: Download dists
         uses: actions/download-artifact@v4
         with:
           name: python-package-distributions
           path: dist/
 
-      # 4. The PyPA action handles the OIDC token exchange and Twine upload securely
-      - name: Publish package distributions to PyPI
+      - name: Publish package distributions to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        
-  # --- TestPyPI Release Job (Optional, for pre-release testing) ---
-  testpypi_publish:
-    name: Publish to TestPyPI
-    needs: [build_sdist_and_wheel]
-    runs-on: ubuntu-latest
-
-    # Use the environment name you configured in TestPyPI
-    environment: testpypi 
+        with:
+          # repository-url directs upload to TestPyPI
+          repository-url: https://test.pypi.org/legacy/
 
+  # Publish from pushes to main OR when a Release is published -> Production PyPI
+  publish_pypi:
+    name: Publish to PyPI (main branch or GitHub Release)
+    runs-on: ubuntu-latest
+    needs: build_sdist_and_wheel
+    # Run when:
+    #  - push to main branch, or
+    #  - release published event (keeps existing release-based behavior)
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+      (github.event_name == 'release' && github.event.action == 'published')
+    environment: pypi
     permissions:
       id-token: write
       contents: read
 
     steps:
-      - name: Download all the dists
+      - name: Download dists
         uses: actions/download-artifact@v4
         with:
           name: python-package-distributions
           path: dist/
-          
-      # The 'repository-url' is what makes this target TestPyPI
-      - name: Publish package distributions to TestPyPI
+
+      - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
+```
