From a9bd6586e51e7f501ba95bd258617751938cede3 Mon Sep 17 00:00:00 2001
From: Tupui <23188539+tupui@users.noreply.github.com>
Date: Sun, 14 Jul 2024 23:45:28 +0200
Subject: [PATCH] Add dependabot and adjust permissions

---
 .github/dependabot.yml               | 11 +++++++
 .github/workflows/contract.yml       |  3 ++
 .github/workflows/lint.yml           |  6 ++--
 .github/workflows/python-release.yml | 45 ++++++++++++++++++++++++++++
 4 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/python-release.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..87a11ac
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions-minor:
+        update-types:
+          - minor
+          - patch
diff --git a/.github/workflows/contract.yml b/.github/workflows/contract.yml
index 1a0dc55..ea6e91c 100644
--- a/.github/workflows/contract.yml
+++ b/.github/workflows/contract.yml
@@ -1,5 +1,8 @@
 name: Test Contract
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index af50055..6460fdf 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,14 +1,14 @@
 name: Linting
 
+permissions:
+  contents: read
+
 on:
   # TODO adjust once we do PR
   push:
     branches: [ main ]
   pull_request:
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml
new file mode 100644
index 0000000..f4e0838
--- /dev/null
+++ b/.github/workflows/python-release.yml
@@ -0,0 +1,45 @@
+name: publish distributions
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Python distribution to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    environment:
+      name: publish-package
+
+    steps:
+      # - name: Collect built artifacts
+      # ...
+
+      - name: Generate artifact attestation for sdist and wheels
+        uses: actions/attest-build-provenance@<full action commit SHA> # vX.Y.Z
+        with:
+          subject-path: "dist/tansu*"
+
+      - name: Verify artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          for artifact in dist/*; do
+              echo "# ${artifact}"
+              gh attestation verify "${artifact}" --repo ${{ github.repository }}
+          done
+
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@<full action commit SHA> # vX.Y.Z
+        with:
+          print-hash: true