name: Publish to PyPI

on:
  push:
    tags:
      - 'v*'  # only trigger on version tags like v1.0.0

jobs:
  build-and-publish:
    runs-on: ubuntu-latest

    permissions:
      id-token: write  # required for trusted publishing, if used
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.13'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install build twine

      - name: Build package
        run: |
          python -m build

      - name: Publish to PyPI
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
        run: |
          python -m twine upload dist/*