From 94b67f6df842cf21ccb1cb83b4f104f4ba130f90 Mon Sep 17 00:00:00 2001
From: cmdoret <cyril.mattheydoret@gmail.com>
Date: Wed, 18 Dec 2024 10:14:51 +0100
Subject: [PATCH 1/4] ci: use trusted publisher in poetry-test-publish

---
 .github/workflows/poetry-test-publish.yml | 65 ++++++++++++++++++++---
 1 file changed, 57 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/poetry-test-publish.yml b/.github/workflows/poetry-test-publish.yml
index 8b15106..10a5c5c 100644
--- a/.github/workflows/poetry-test-publish.yml
+++ b/.github/workflows/poetry-test-publish.yml
@@ -1,18 +1,67 @@
-name: Publish on Pypi Test
+# Workflow following resources at:
+#  - https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-pypi
+#  - https://packaging.python.org/en/latest/tutorials/packaging-projects/#uploading-the-distribution-archives
+# Jobs are split to prevent unneccessary priviledge elevation through write permissions during building.
+
+name: Build and publish on Pypi Test
 
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  run-tests:
+    uses: ./.github/workflows/poetry-pytest.yml
+  test-build:
+    name: Build python wheels
+    needs:
+      - run-tests
     runs-on: ubuntu-latest
     steps:
       # https://github.com/actions/checkout
       - uses: actions/checkout@v4
-      - name: Build and publish to pypi
-      # https://github.com/JRubics/poetry-publish
-        uses: JRubics/poetry-publish@v1.17
+      - name: Set up Python
+      # https://github.com/actions/setup-python
+        uses: actions/setup-python@v5.1.1
         with:
-          pypi_token: ${{ secrets.PYPI_TEST_API_TOKEN }}
-          repository_name: "testpypi"
-          repository_url: "https://test.pypi.org/legacy/"
+          python-version: "3.12"
+
+      - name: Install Poetry
+        run: |
+          pip install poetry
+
+      - name: Build source and wheel archives
+        run: poetry build
+
+      - name: Upload distributions
+      # https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-dists
+          path: dist/
+
+  pypi-test-publish:
+    name: Upload release to PyPI Test
+    needs:
+      - test-build
+    runs-on: ubuntu-latest
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/gimie
+    permissions:
+      id-token: write
+      # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+    - name: Retrieve release distributions
+    # https://github.com/actions/download-artifact
+      uses: actions/download-artifact@v4.1.8
+      with:
+        name: test-dists
+        path: dist/
+    - name: Publish package distributions to TestPyPI
+    # https://github.com/pypa/gh-action-pypi-publish
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/

From 13dc8a62bacc143203fb223ad285e34946774af7 Mon Sep 17 00:00:00 2001
From: cmdoret <cyril.mattheydoret@gmail.com>
Date: Wed, 18 Dec 2024 10:15:00 +0100
Subject: [PATCH 2/4] ci: use trusted publisher in poetry-publish

---
 .github/workflows/poetry-publish.yml | 63 ++++++++++++++++++++++++----
 1 file changed, 56 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/poetry-publish.yml b/.github/workflows/poetry-publish.yml
index 3985d57..40e8d59 100644
--- a/.github/workflows/poetry-publish.yml
+++ b/.github/workflows/poetry-publish.yml
@@ -1,18 +1,67 @@
-name: Publish on Pypi
+# Workflow following resources at:
+#  - https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-pypi
+#  - https://packaging.python.org/en/latest/tutorials/packaging-projects/#uploading-the-distribution-archives
+# Jobs are split to prevent unneccessary priviledge elevation through write permissions during building.
+
+name: Build and publish on Pypi
 
 on:
   release:
     types: [published]
-    branches: [main]
+
+permissions:
+  contents: read
 
 jobs:
-  build:
+  run-tests:
+    uses: ./.github/workflows/poetry-pytest.yml
+
+  release-build:
+    name: Build python wheels
+    needs:
+      - run-tests
     runs-on: ubuntu-latest
     steps:
       # https://github.com/actions/checkout
       - uses: actions/checkout@v4
-      # https://github.com/JRubics/poetry-publish
-      - name: Build and publish to pypi
-        uses: JRubics/poetry-publish@v1.17
+      - name: Set up Python
+      # https://github.com/actions/setup-python
+        uses: actions/setup-python@v5.1.1
+        with:
+          python-version: "3.12"
+
+      - name: Install Poetry
+        run: |
+          pip install poetry
+
+      - name: Build source and wheel archives
+        run: poetry build
+
+      - name: Upload distributions
+      # https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
         with:
-          pypi_token: ${{ secrets.PYPI_API_TOKEN }}
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
+    name: Upload release to PyPI
+    needs:
+      - release-build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gimie
+    permissions:
+      id-token: write
+      # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+    - name: Retrieve release distributions
+    # https://github.com/actions/download-artifact
+      uses: actions/download-artifact@v4.1.8
+      with:
+        name: release-dists
+        path: dist/
+    - name: Publish package distributions to PyPI
+    # https://github.com/pypa/gh-action-pypi-publish
+      uses: pypa/gh-action-pypi-publish@release/v1

From 6ba53d74411de86dab68b05f23f813d58a6654c8 Mon Sep 17 00:00:00 2001
From: cmdoret <cyril.mattheydoret@gmail.com>
Date: Wed, 18 Dec 2024 10:23:07 +0100
Subject: [PATCH 3/4] ci(test): add workflow call trigger

---
 .github/workflows/poetry-pytest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/poetry-pytest.yml b/.github/workflows/poetry-pytest.yml
index d0c8fe2..f388174 100644
--- a/.github/workflows/poetry-pytest.yml
+++ b/.github/workflows/poetry-pytest.yml
@@ -1,6 +1,6 @@
 name: tests
 
-on: [push]
+on: [push, workflow_call]
 
 jobs:
 

From b47066a729b9c825a4a374e22644ee6659079603 Mon Sep 17 00:00:00 2001
From: cmdoret <cyril.mattheydoret@gmail.com>
Date: Wed, 18 Dec 2024 10:28:18 +0100
Subject: [PATCH 4/4] ci: inherit secrets when reusing test workflow

---
 .github/workflows/poetry-publish.yml      | 1 +
 .github/workflows/poetry-test-publish.yml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/poetry-publish.yml b/.github/workflows/poetry-publish.yml
index 40e8d59..6b7e768 100644
--- a/.github/workflows/poetry-publish.yml
+++ b/.github/workflows/poetry-publish.yml
@@ -15,6 +15,7 @@ permissions:
 jobs:
   run-tests:
     uses: ./.github/workflows/poetry-pytest.yml
+    secrets: inherit
 
   release-build:
     name: Build python wheels
diff --git a/.github/workflows/poetry-test-publish.yml b/.github/workflows/poetry-test-publish.yml
index 10a5c5c..f03abf3 100644
--- a/.github/workflows/poetry-test-publish.yml
+++ b/.github/workflows/poetry-test-publish.yml
@@ -14,6 +14,8 @@ permissions:
 jobs:
   run-tests:
     uses: ./.github/workflows/poetry-pytest.yml
+    secrets: inherit
+
   test-build:
     name: Build python wheels
     needs: