Explicitly state write permissions on publish job #661

	name: PyPI

	on:
	pull_request:
	release:
	types:
	- published

	jobs:
	build_wheel:
	name: Build wheels
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v2
	# Include all history and tags
	with:
	fetch-depth: 0

	- uses: actions/setup-python@v2
	name: Install Python
	with:
	python-version: '3.9'

	- name: Build wheels
	run: \|
	pip install wheel
	pip wheel --no-deps -w dist .

	- uses: actions/upload-artifact@v2
	with:
	path: dist/*.whl

	build_sdist:
	name: Build source distribution
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2
	# Include all history and tags
	with:
	fetch-depth: 0

	- uses: actions/setup-python@v2
	name: Install Python
	with:
	python-version: '3.9'

	- name: Build sdist
	run: \|
	python setup.py sdist

	- uses: actions/upload-artifact@v2
	with:
	path: dist/*.tar.gz

	upload_pypi:
	needs: [build_wheel, build_sdist]
	runs-on: ubuntu-latest
	if: github.event_name == 'release' && github.event.action == 'published'
	steps:
	- uses: actions/download-artifact@v2
	with:
	name: artifact
	path: dist

	- uses: pypa/gh-action-pypi-publish@master
	with:
	user: __token__
	password: ${{ secrets.PYPI_TOKEN }}
	# To test: repository_url: https://test.pypi.org/legacy/

Provide feedback