From 32b299a0cae317a434c09aa772575131e0c144f6 Mon Sep 17 00:00:00 2001
From: Jakob Schnitzer <mail@jakobschnitzer.de>
Date: Sat, 13 Dec 2025 12:28:13 +0100
Subject: [PATCH] ci: set up for trusted publishing

---
 .github/workflows/ci.yml      |  6 +++--
 .github/workflows/publish.yml | 45 +++++++++++++++++++++++++++++++++++
 uv.lock                       |  2 +-
 3 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4f6eccb..698defa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,8 +1,11 @@
-name: ci
+name: Test
+
 on:
   push:
+
 permissions:
   contents: read
+
 jobs:
   test:
     name: Run lint and tests
@@ -13,7 +16,6 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          fetch-depth: 0
           persist-credentials: false
       - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..fed9ad3
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,45 @@
+name: Publish Python distribution to PyPI
+
+on:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: "3.14"
+      - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+      - run: uv build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+  publish-to-pypi:
+    name: Publish Python distribution to PyPI
+    if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/fava-plugins
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted publishing
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/uv.lock b/uv.lock
index 93bf79b..a308ac0 100644
--- a/uv.lock
+++ b/uv.lock
@@ -92,7 +92,7 @@ wheels = [
 
 [[package]]
 name = "fava-plugins"
-version = "1.0"
+version = "1.2"
 source = { editable = "." }
 dependencies = [
     { name = "beancount" },