name: Build & maybe upload PyPI package

on:
  push:
  pull_request:
  release:
    types:
      - published
  workflow_dispatch:

permissions:
  contents: read

env:
  FORCE_COLOR: 1

jobs:
  # Always build & lint package.
  build-package:
    name: Build & verify package
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-python@v5

      - name: Compile translations
        run: |
          pip install --upgrade pip
          pip install -r requirements.txt
          python babel_runner.py compile

      - uses: hynek/build-and-inspect-python-package@v2

  # Upload to real PyPI on GitHub Releases.
  release-pypi:
    name: Publish to PyPI
    environment: release-pypi
    # Only run for published releases.
    if: |
      github.repository_owner == 'python'
      && github.event.action == 'published'
    runs-on: ubuntu-latest
    needs: build-package

    permissions:
      id-token: write

    steps:
      - name: Download packages built by build-and-inspect-python-package
        uses: actions/download-artifact@v5
        with:
          name: Packages
          path: dist

      - name: Upload package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          attestations: true