ci: Add permissions for contents in release workflow #786

	name: Release

	on:
	push:
	branches:
	- main
	- master

	jobs:
	release:
	name: Release
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: write
	steps:
	- name: Check out the repository
	uses: actions/checkout@v6
	with:
	fetch-depth: 2

	- name: Set up the environment
	uses: ./.github/actions/setup-python-env

	- name: Check if there is a parent commit
	id: check-parent-commit
	run: \|
	echo "::set-output name=sha::$(git rev-parse --verify --quiet HEAD^)"

	- name: Detect and tag new version
	id: check-version
	if: steps.check-parent-commit.outputs.sha
	uses: salsify/[email protected]
	with:
	version-command: \|
	bash -o pipefail -c "uv version \| awk '{ print \$2 }'"

	- name: Bump version for developmental release
	if: "! steps.check-version.outputs.tag"
	run: \|
	next=$(uv run bump-my-version show new_version --increment patch)
	uv run bump-my-version bump --new-version "${next}.dev$(date +%s)"

	- name: Build package
	run: \|
	uv build

	- name: Publish package on PyPI
	if: steps.check-version.outputs.tag
	uses: pypa/[email protected]
	with:
	user: __token__
	password: ${{ secrets.PYPI_TOKEN }}

	- name: Publish package on TestPyPI
	if: "! steps.check-version.outputs.tag"
	uses: pypa/[email protected]
	with:
	user: __token__
	password: ${{ secrets.TEST_PYPI_TOKEN }}
	repository_url: https://test.pypi.org/legacy/

	- name: Publish the release notes
	uses: release-drafter/[email protected]
	with:
	publish: ${{ steps.check-version.outputs.tag != '' }}
	tag: ${{ steps.check-version.outputs.tag }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback