[pre-commit.ci] pre-commit autoupdate (#7626) #87

	name: release-pipeline

	on:
	push:
	branches:
	- main
	release:
	types:
	- published

	jobs:
	build-package:
	runs-on: ubuntu-latest
	permissions:
	# write attestations and id-token are necessary for attest-build-provenance-github
	attestations: write
	id-token: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	persist-credentials: false
	- uses: hynek/build-and-inspect-python-package@14c7e53f5d033cfa99f7af916fa59a6f7f356394 # v2.11.0
	with:
	# Prove that the packages were built in the context of this workflow.
	attest-build-provenance-github: true

	publish-package:
	# Don't publish from forks
	if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published'
	# Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
	# workflow by requiring signoff from a maintainer.
	environment: release
	needs: build-package
	runs-on: ubuntu-latest
	permissions:
	# write id-token is necessary for trusted publishing (OIDC)
	id-token: write
	steps:
	- name: Download Distribution Artifacts
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
	with:
	# The build-and-inspect-python-package action invokes upload-artifact.
	# These are the correct arguments from that action.
	name: Packages
	path: dist
	- name: Publish Package to PyPI
	uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
	# Implicitly attests that the packages were uploaded in the context of this workflow.

Provide feedback