2.5.2.dev2 #22

	name: PyPI Release

	on:
	release:
	types: [published]

	jobs:
	publish:
	runs-on: ubuntu-latest
	environment: release
	permissions:
	# IMPORTANT: this permission is mandatory for trusted publishing
	id-token: write
	steps:
	- uses: actions/[email protected]

	- name: Pull all release assets
	uses: robinraju/[email protected]
	with:
	releaseId: ${{ github.event.release.id }}
	fileName: "*"
	tarBall: false
	zipBall: false
	out-file-path: "dist"

	- name: Verify release attestation
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	for fname in dist/*; do
	if gh attestation verify $fname -R ${{ github.repository }}; then
	echo "[ALLOWED] $fname"
	else
	rm $fname
	echo "[DELETED] $fname"
	fi
	done

	- name: Publish to PyPI
	uses: pypa/gh-action-pypi-publish@release/v1

Provide feedback