From ca9c0822463d23bcf6efd7462951e8973c412b55 Mon Sep 17 00:00:00 2001
From: Jacob Wujciak-Jens <jacob@dottxt.co>
Date: Wed, 29 Apr 2026 19:29:26 +0200
Subject: [PATCH 1/2] Add workflow to publish package to PyPi

This will do a test release to test.pypi.org when run in PRs.
---
 .github/workflows/publish.yml | 67 +++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..70c2b67
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,67 @@
+name: Publish to PyPI
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/publish.yml
+  release:
+    types:
+      - released
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build distributions
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+
+      - name: Build package
+        env:
+          SETUPTOOLS_SCM_OVERRIDES_FOR_DOTTXT: '{local_scheme=["fail-on-uncommitted-changes", "no-local-version"]}'
+        run: |
+          uv build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: python-package-distributions
+          path: dist/
+          if-no-files-found: error
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # For trusted publishing
+    environment:
+      name: ${{ case(github.event_name == 'release', 'pypi', 'test-pypi') }}
+      url: ${{ case(github.event_name == 'release', 'https://pypi.org/p/dottxt',
+               'https://test.pypi.org/p/dottxt') }}
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
+        with:
+          attestations: true
+          repository-url: ${{ case(github.event_name == 'release', 'https://upload.pypi.org/legacy/',
+                                   'https://test.pypi.org/legacy/') }}

From 4f9d5989b0955f4ace7166ae698b35f020d3b49a Mon Sep 17 00:00:00 2001
From: Jacob Wujciak-Jens <jacob@dottxt.co>
Date: Wed, 29 Apr 2026 23:02:51 +0200
Subject: [PATCH 2/2] Don't fail publish workflow on test.pypi.org upload of
 same version

We could also do some additional work to create unique versions
etc. but that seems like overkill for this test. The attestation and
trusted publishing will be tested even with this option on.
---
 .github/workflows/publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 70c2b67..be0851b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -62,6 +62,8 @@ jobs:
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
         with:
+          # Same version/content can't be reuploaded, so skip the files if this happens in testing
+          skip-existing: ${{ github.event_name != 'release' }}
           attestations: true
           repository-url: ${{ case(github.event_name == 'release', 'https://upload.pypi.org/legacy/',
                                    'https://test.pypi.org/legacy/') }}