Publish to PyPI #5

	name: Publish to PyPI

	on:
	release:
	types: [published]

	jobs:
	pypi:
	name: upload release to PyPI
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	steps:
	- uses: actions/checkout@v3

	- uses: actions/setup-python@v4
	with:
	python-version: "3.11"

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install setuptools wheel twine
	- name: Run tests
	run: \|
	python -m unittest tests/test_judge.py

	- name: Update version in setup.py
	run: \|
	version=$(python -c "exec(open('cantonesedetect/version.py').read()); print(__version__)")
	sed -i "s/version=.*/version='$version',/" setup.py

	- name: Build and publish
	run: \|
	python setup.py sdist bdist_wheel
	twine upload dist/*

	- name: mint API token
	id: mint-token
	run: \|
	# retrieve the ambient OIDC token
	resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
	"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
	oidc_token=$(jq -r '.value' <<< "${resp}")

	# exchange the OIDC token for an API token
	resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
	api_token=$(jq -r '.token' <<< "${resp}")

	# mask the newly minted API token, so that we don't accidentally leak it
	echo "::add-mask::${api_token}"

	# see the next step in the workflow for an example of using this step output
	echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"

	- name: publish
	# gh-action-pypi-publish uses TWINE_PASSWORD automatically
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ steps.mint-token.outputs.api-token }}

Provide feedback