From 41bc137f39f858291f5fcca184e8ba3f5fec04c9 Mon Sep 17 00:00:00 2001
From: Matthew Honnibal <honnibal+gh@gmail.com>
Date: Mon, 22 Jul 2024 14:10:57 +0200
Subject: [PATCH] Separate action to upload to release, to isolate permissions

---
 .github/workflows/cibuildwheel.yml | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 72607ca..54ad559 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -41,12 +41,17 @@ jobs:
 
       - name: Build sdist
         run: pipx run build --sdist
-      - name: Upload release sdist
-        uses: alexellis/upload-assets@0.4.0
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/upload-artifact@v4
         with:
-          asset_paths: '["./dist/*.tar.gz"]'
+          name: cibw-sdist
+          path: dist/*.tar.gz
+
+  # After the build has finished, download the artifacts from the action
+  # and upload them to the release. When we publish the release, the
+  # assets will be downloaded from it and uploaded to PyPi.
+  upload_assets_to_release:
+    needs: [build_sdist]
+    runs-on: ubuntu-latest
     permissions:
       contents: write
       checks: write
@@ -56,3 +61,16 @@ jobs:
       pull-requests: read
       repository-projects: read
       statuses: read
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          # unpacks all CIBW artifacts into dist/
+          pattern: cibw-*
+          path: dist
+          merge-multiple: true
+      - uses: alexellis/upload-assets@0.4.0
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./dist/*"]'
+