From 45a5993f76c44ad45310c9fcdbb01fd1183d2476 Mon Sep 17 00:00:00 2001
From: Chris Fiege <cfi@pengutronix.de>
Date: Mon, 4 Nov 2024 09:48:41 +0100
Subject: [PATCH 1/2] CI: Split publish into test and production

In workflow
https://github.com/linux-automation/usbsdmux/actions/runs/11659598753/job/32460446373
we have seen that a dirty environment can be problematic for a workflow.
Here a leftover file from the publish to test.pypi.org caused the preflight
checks for the proper release to fail.

With this change we will use different jobs for both steps - thus starting
with a clean environment every time.

Signed-off-by: Chris Fiege <cfi@pengutronix.de>
---
 .github/workflows/check-and-publish.yaml | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/check-and-publish.yaml b/.github/workflows/check-and-publish.yaml
index 11413c4..a4d3ecb 100644
--- a/.github/workflows/check-and-publish.yaml
+++ b/.github/workflows/check-and-publish.yaml
@@ -38,8 +38,8 @@ jobs:
           name: dist
           path: dist
 
-  publish:
-    name: Publish
+  publish-test:
+    name: Publish to test.pypi.org
     if: ${{ github.event_name == 'push' && vars.PUBLISH_PYPI == 'true' && (startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/master') }}
     runs-on: ubuntu-latest
     needs:
@@ -59,6 +59,24 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
+
+  publish-production:
+    name: Publish
+    if: ${{ github.event_name == 'push' && vars.PUBLISH_PYPI == 'true' && startsWith(github.ref, 'refs/tags') }}
+    runs-on: ubuntu-latest
+    needs:
+      - codespell
+      - pytest
+      - ruff
+      - build
+      - publish-test
+    permissions:
+      id-token: write
+    steps:
+      - name: Download artifacts from build stage
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
       - name: Publish distribution package to PyPI
-        if: ${{ startsWith(github.ref, 'refs/tags') }}
         uses: pypa/gh-action-pypi-publish@release/v1

From c5447a60c26111e127f24b9dc975737abe840d68 Mon Sep 17 00:00:00 2001
From: Chris Fiege <cfi@pengutronix.de>
Date: Mon, 4 Nov 2024 09:52:26 +0100
Subject: [PATCH 2/2] CI: Disable attestation for releases for now

With v1.11.0 gh-action-pypi-publish has switched on attestations by
default:
https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0

According to it's README they are still beta:
https://github.com/pypa/gh-action-pypi-publish/blob/fb13cb306901256ace3dab689990e13a5550ffaa/README.md?plain=1#L102

So we will disable attestations for releases to production for now.
This way we can still evaluate this supply chain feature in testing, but
keep our stable release workflow more stable.

Attestations can be enabled for production once they are stable.

Signed-off-by: Chris Fiege <cfi@pengutronix.de>
---
 .github/workflows/check-and-publish.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/check-and-publish.yaml b/.github/workflows/check-and-publish.yaml
index a4d3ecb..87cd1e0 100644
--- a/.github/workflows/check-and-publish.yaml
+++ b/.github/workflows/check-and-publish.yaml
@@ -80,3 +80,5 @@ jobs:
           path: dist/
       - name: Publish distribution package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: false