From ffd2ee0a0e3bbc4432d8753d9c13e20870ae29c4 Mon Sep 17 00:00:00 2001
From: Wei Ji <23487320+weiji14@users.noreply.github.com>
Date: Fri, 3 Jan 2025 13:09:51 +1300
Subject: [PATCH 1/2] CI: Separate jobs for publishing to TestPyPI and PyPI

Have a dedicated build distribution job, and split the publish to TestPyPI and PyPI jobs, to workaround attestation file issue. Xref https://github.com/pypa/gh-action-pypi-publish/issues/283
---
 .github/workflows/publish-to-pypi.yml | 58 ++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index 2dbc12cbef1..b77a20da9c6 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -35,13 +35,9 @@ on:
   #    - main
 
 jobs:
-  publish-pypi:
-    name: Publish to PyPI
+  build:
+    name: Build distribution 📦
     runs-on: ubuntu-latest
-    permissions:
-      # This permission is mandatory for OIDC publishing
-      id-token: write
-    if: github.repository == 'GenericMappingTools/pygmt'
 
     steps:
     - name: Checkout
@@ -49,6 +45,7 @@ jobs:
       with:
         # fetch all history so that setuptools-scm works
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5.3.0
@@ -74,11 +71,54 @@ jobs:
         echo "Generated files:"
         ls -lh dist/
 
-    - name: Publish to Test PyPI
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish-to-testpypi:
+    name: Publish Python 🐍 distribution 📦 to TestPyPI
+    if: github.repository == 'GenericMappingTools/pygmt'
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/pygmt
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+    - name: Publish distribution 📦 to TestPyPI
       uses: pypa/gh-action-pypi-publish@v1.12.3
       with:
         repository-url: https://test.pypi.org/legacy/
 
-    - name: Publish to PyPI
-      if: startsWith(github.ref, 'refs/tags')
+  publish-pypi:
+    name: Publish Python 🐍 distribution 📦 to PyPI
+    if: github.repository == 'GenericMappingTools/pygmt' && startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pygmt
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+    - name: Publish distribution 📦 to PyPI
       uses: pypa/gh-action-pypi-publish@v1.12.3

From 190d93e1c707a856c1699ab834eeaae1b7621525 Mon Sep 17 00:00:00 2001
From: Wei Ji <23487320+weiji14@users.noreply.github.com>
Date: Mon, 6 Jan 2025 09:43:38 +1300
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Dongdong Tian <seisman.info@gmail.com>
---
 .github/workflows/publish-to-pypi.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index b77a20da9c6..15c66e1842b 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -72,7 +72,7 @@ jobs:
         ls -lh dist/
 
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v4.5.0
       with:
         name: python-package-distributions
         path: dist/
@@ -85,13 +85,13 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: testpypi
-      url: https://test.pypi.org/p/pygmt
+      url: https://test.pypi.org/project/pygmt
     permissions:
       id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v4.1.8
       with:
         name: python-package-distributions
         path: dist/
@@ -109,13 +109,13 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: pypi
-      url: https://pypi.org/p/pygmt
+      url: https://pypi.org/project/pygmt/
     permissions:
       id-token: write # IMPORTANT: mandatory for trusted OIDC publishing
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v4.1.8
       with:
         name: python-package-distributions
         path: dist/