Switch to secretless trusted publishing #9

	name: Wheels

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main
	release:
	types:
	- published

	jobs:
	build_sdist:
	name: Build SDist
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	submodules: true

	- name: Build SDist
	run: pipx run build --sdist

	- name: Check metadata
	run: pipx run twine check dist/*

	- uses: actions/upload-artifact@v4
	with:
	name: dist-sdist
	path: dist/*.tar.gz


	build_wheels:
	name: Wheels on ${{ matrix.os }}
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	os: [ubuntu-latest]

	steps:
	- uses: actions/checkout@v4
	with:
	submodules: true

	- uses: pypa/[email protected]

	- name: Verify clean directory
	run: git diff --exit-code
	shell: bash

	- name: Upload wheels
	uses: actions/upload-artifact@v4
	with:
	path: wheelhouse/*.whl
	name: dist-${{ matrix.os }}

	merge_wheels:
	name: Merge wheels into a combined artifact
	runs-on: ubuntu-latest
	needs: [build_wheels, build_sdist]
	steps:
	- name: Merge Artifacts
	uses: actions/upload-artifact/merge@v4
	with:
	name: dist
	pattern: dist-*

	upload_all:
	name: Upload if release
	needs: merge_wheels
	runs-on: ubuntu-latest
	permissions:
	# IMPORTANT: this permission is mandatory for trusted publishing
	id-token: write
	if: github.event_name == 'release' && github.event.action == 'published'

	steps:
	- uses: actions/setup-python@v5

	- uses: actions/download-artifact@v4
	with:
	path: dist

	- uses: pypa/gh-action-pypi-publish@release/v1

Provide feedback