From f4e257c3a4ea000e07d5b670836d439f5e11fce6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sviatoslav=20Sydorenko=20=28=D0=A1=D0=B2=D1=8F=D1=82=D0=BE?=
 =?UTF-8?q?=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A1=D0=B8=D0=B4=D0=BE=D1=80=D0=B5?=
 =?UTF-8?q?=D0=BD=D0=BA=D0=BE=29?= <wk@sydorenko.org.ua>
Date: Tue, 14 May 2024 23:13:19 -0400
Subject: [PATCH] Fix broad build privileges @ GHA release workflow (#3281)

---
 .github/workflows/release.yml | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bd243c058..ad0fdee3c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,14 +3,12 @@ on:
   push:
     tags: ["*"]
 
+env:
+  dists-artifact-name: python-package-distributions
+
 jobs:
-  release:
+  build:
     runs-on: ubuntu-latest
-    environment:
-      name: release
-      url: https://pypi.org/p/tox
-    permissions:
-      id-token: write
     steps:
       - name: Setup python to build package
         uses: actions/setup-python@v5
@@ -22,6 +20,27 @@ jobs:
         with:
           fetch-depth: 0
       - name: Build package
-        run: pyproject-build -s -w . -o dist
+        run: pyproject-build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.dists-artifact-name }}
+          path: dist/*
+
+  release:
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+      url: https://pypi.org/project/tox/${{ github.ref_name }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.dists-artifact-name }}
+          path: dist/
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@v1.8.14