From 80d53b59e8273b0fb4bbee56b287e9a894632300 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Thu, 3 Oct 2024 13:26:29 -0400
Subject: [PATCH 1/2] release: split jobs, refactor

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 .github/workflows/release.yml | 61 +++++++++++++++++++++++------------
 1 file changed, 41 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e74f8be..6caaf5d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,31 +5,52 @@ on:
 
 name: release
 
-permissions:
-  # Trusted Publishing + attestations
-  id-token: write
-  attestations: write
+permissions: {}
 
 jobs:
-  pypi:
-    name: upload release to PyPI
+  build:
+    name: Build distributions 📦
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4
 
-    - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
-      with:
-        python-version-file: pyproject.toml
-        cache: "pip"
-        cache-dependency-path: pyproject.toml
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
+        with:
+          python-version-file: pyproject.toml
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
 
-    - name: deps
-      run: python -m pip install -U setuptools build wheel
+      - name: Install pypa/build
+        run: python -m pip install -U build
 
-    - name: build
-      run: python -m build
+      - name: Build distributions
+        run: python -m build
 
-    - name: publish
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        attestations: true
+      - name: Upload distributions
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
+        with:
+          name: distributions
+          path: dist/
+
+
+  publish:
+    name: publish release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pypi-attestations
+    needs: [build]
+    permissions:
+      id-token: write # trusted publishing + attestations
+
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        with:
+          name: distributions
+          path: dist/
+
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true

From b60fcd5df77b8349288fa88498709823a844e6f6 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Thu, 3 Oct 2024 13:32:27 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6caaf5d..8179aac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
 
 
   publish:
-    name: publish release to PyPI
+    name: Publish Python 🐍 distributions 📦 to PyPI
     runs-on: ubuntu-latest
     environment:
       name: pypi