From 484a7732f08f95c07b6257c4cfe257f64470a7cb Mon Sep 17 00:00:00 2001
From: Ray Luo <rayluo.mba@gmail.com>
Date: Sun, 1 Oct 2023 10:53:43 -0700
Subject: [PATCH] Modernize python-package.yml

---
 .github/workflows/python-package.yml | 46 ++++++++++++++++++----------
 1 file changed, 29 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 41fa45a..bbde895 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -18,16 +18,16 @@ jobs:
       TRAVIS: true
 
     # Derived from https://docs.github.com/en/actions/guides/building-and-testing-python#starting-with-the-python-workflow-template
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest  # The latest 22.04 no longer supports Python 3.5, 3.6
     strategy:
       matrix:
         # See also https://endoflife.date/python
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: [3.7, 3.8, 3.9, "3.10", 3.11, 3.12]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -61,28 +61,40 @@ jobs:
 
   cd:
     needs: ci
-    if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/main')
+    # Note: github.event.pull_request.draft == false WON'T WORK in "if" statement,
+    # because the triggered event is a push, not a pull_request.
+    # This means each commit will trigger a release on TestPyPI.
+    # Those releases will only succeed when each push has a new version number: a1, a2, a3, etc.
+    if: |
+      github.event_name == 'push' &&
+      (
+        startsWith(github.ref, 'refs/tags') ||
+        startsWith(github.ref, 'refs/heads/release-')
+      )
     runs-on: ubuntu-latest
+    # Based on trusted publisher https://docs.pypi.org/trusted-publishers/
+    permissions:
+      id-token: write  # mandatory for trusted publishing
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python 3.9
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: 3.9
     - name: Build a package for release
       run: |
         python -m pip install build --user
         python -m build --sdist --wheel --outdir dist/ .
-    - name: Publish to TestPyPI
-      uses: pypa/gh-action-pypi-publish@v1.4.2
-      if: github.ref == 'refs/heads/main'
+    - name: |
+        Publish to TestPyPI when pushing to release-* branch.
+        You better test with a1, a2, b1, b2 releases first.
+      if: startsWith(github.ref, 'refs/heads/release-')
+      # You need to setup Trusted Publisher first
+      uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
+        repository-url: https://test.pypi.org/legacy/
     - name: Publish to PyPI
       if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@v1.4.2
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      # You need to setup Trusted Publisher first
+      uses: pypa/gh-action-pypi-publish@release/v1
+