Fixes for read-only GITHUB_TOKEN in workflows #93

	name: Build and upload to PyPI

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main
	release:
	types:
	- published

	jobs:
	build_wheels:
	name: Build wheels on ${{ matrix.os }}
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os: [macos-13, macos-14, ubuntu-latest, windows-latest]

	steps:
	- uses: actions/checkout@v4
	with:
	submodules: true

	- name: Set up QEMU
	if: runner.os == 'Linux'
	uses: docker/setup-qemu-action@v3
	with:
	platforms: all

	- name: Build wheels
	uses: pypa/cibuildwheel@v2.19.1
	env:
	CIBW_BUILD_VERBOSITY: 1
	MAXMINDDB_REQUIRE_EXTENSION: 1
	# configure cibuildwheel to build native archs ('auto'), and some
	# emulated ones
	CIBW_ARCHS_LINUX: auto aarch64

	- uses: actions/upload-artifact@v4
	with:
	name: maxminddb-whl-${{ matrix.os }}
	path: ./wheelhouse/*.whl

	build_sdist:
	name: Build source distribution
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: true

	- name: Build sdist
	run: pipx run build --sdist

	- uses: actions/upload-artifact@v4
	with:
	name: maxminddb-sdist
	path: dist/*.tar.gz

	upload_pypi:
	needs: [build_wheels, build_sdist]
	runs-on: ubuntu-latest
	environment: release
	permissions:
	id-token: write
	if: github.event_name == 'release' && github.event.action == 'published'
	steps:
	- uses: actions/download-artifact@v4
	with:
	pattern: maxminddb-*
	path: dist
	merge-multiple: true

	- uses: pypa/gh-action-pypi-publish@release/v1

Provide feedback