From f481b193852c19e55cc7031a2817734ad5468ee3 Mon Sep 17 00:00:00 2001
From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com>
Date: Wed, 18 Dec 2024 11:50:41 -0800
Subject: [PATCH] Update publish.yml to inherit secrets when calling
 publish-pypi (#389)

---
 .github/workflows/publish.yml | 44 +++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 04a14545..421a66ad 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -58,11 +58,45 @@ jobs:
             branch: ${{ needs.generate-changelog.outputs.branch-name }}
         secrets: inherit
 
-    publish-pypi:
+    package:
         if: ${{ inputs.pypi-public == true }}
-        needs: generate-changelog
-        uses: ./.github/workflows/_publish-pypi.yml
+        uses: ./.github/workflows/_package-directory.yml
         with:
             package: ${{ inputs.package }}
-            deploy-to: ${{ inputs.deploy-to }}
-            branch: ${{ needs.generate-changelog.outputs.branch-name }}
+
+    publish-pypi:
+        if: ${{ inputs.pypi-public == true }}
+        needs: [package, generate-changelog]
+        runs-on: ${{ vars.DEFAULT_RUNNER }}
+        environment:
+            name: ${{ inputs.deploy-to }}
+            url: ${{ vars.PYPI_PROJECT_URL }}/${{ inputs.package }}
+        permissions:
+            # this permission is required for trusted publishing
+            # see https://github.com/marketplace/actions/pypi-publish
+            id-token: write
+        steps:
+        -   uses: actions/checkout@v4
+            with:
+                ref: ${{ needs.generate-changelog.outputs.branch-name }}
+        -   uses: actions/setup-python@v5
+            with:
+                python-version: ${{ vars.DEFAULT_PYTHON_VERSION }}
+        -   uses: pypa/hatch@install
+            # hatch will build using test PyPI first and fall back to prod PyPI when deploying to test
+            # this is done via environment variables in the test environment in GitHub
+        -   run: hatch build && hatch run build:check-all
+            working-directory: ./${{ needs.package.outputs.directory }}
+        -   uses: pypa/gh-action-pypi-publish@release/v1
+            with:
+                repository-url: ${{ vars.PYPI_REPOSITORY_URL }}
+                packages-dir: ./${{ needs.package.outputs.directory }}dist/
+        -   id: version
+            run: echo "version=$(hatch version)" >> $GITHUB_OUTPUT
+            working-directory: ./${{ needs.package.outputs.directory }}
+        -   uses: nick-fields/retry@v3
+            with:
+                timeout_seconds: 10
+                retry_wait_seconds: 10
+                max_attempts: 15  # 5 minutes: (10s timeout + 10s delay) * 15 attempts
+                command: wget ${{ vars.PYPI_PROJECT_URL }}/${{ steps.version.outputs.version }}