From 8b9c22a6338b637655bc91dbb1b43aa7a6a18333 Mon Sep 17 00:00:00 2001
From: Irfan Alibay <IAlibay@users.noreply.github.com>
Date: Fri, 27 Oct 2023 19:38:33 +0100
Subject: [PATCH] Fix deploy to use the right environment & token permissions

---
 .github/workflows/deploy.yaml | 68 +++++++++++++++++++++++++++++++----
 1 file changed, 61 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 1e4a45559fc..ce3d55cd5e0 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -117,12 +117,16 @@ jobs:
           path: testsuite/dist/*.tar.gz
           retention-days: 7
 
-  upload_testpypi:
+  upload_testpypi_mdanalysis:
     if: |
       github.repository == 'MDAnalysis/mdanalysis' &&
       (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/package'))
-    name: testpypi upload
-    environment: deploy
+    name: testpypi_upload_mdanalysis
+    environment:
+      name: deploy
+      url: https://test.pypi.org/p/mdanalysis
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     needs: [build_wheels, build_sdist, build_sdist_tests]
     steps:
@@ -142,6 +146,29 @@ jobs:
           skip_existing: true
           repository_url: https://test.pypi.org/legacy/
 
+  upload_testpypi_mdanalysistests:
+    if: |
+      github.repository == 'MDAnalysis/mdanalysis' &&
+      (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/package'))
+    name: testpypi_upload_mdanalysistests
+    environment:
+      name: deploy
+      url: https://test.pypi.org/p/mdanalysis
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: [build_wheels, build_sdist, build_sdist_tests]
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: dist
+
+      - name: move_test_dist
+        run: |
+          mkdir -p testsuite/dist
+          mv dist/MDAnalysisTests-* testsuite/dist
+
       - name: upload_tests
         uses: pypa/gh-action-pypi-publish@v1.8.10
         with:
@@ -149,12 +176,16 @@ jobs:
           skip_existing: true
           repository_url: https://test.pypi.org/legacy/
  
-  upload_pypi:
+  upload_pypi_mdanalysis:
     if: |
       github.repository == 'MDAnalysis/mdanalysis' &&
       github.event_name == 'release' && github.event.action == 'published'
-    name: pypi upload
-    environment: deploy
+    name: pypi_upload_mdanalysis
+    environment:
+      name: deploy
+      url: https://pypi.org/p/mdanalysis
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     needs: [build_wheels, build_sdist, build_sdist_tests]
     steps:
@@ -171,6 +202,29 @@ jobs:
       - name: upload_source_and_wheels
         uses: pypa/gh-action-pypi-publish@v1.18.10
 
+  upload_pypi_mdanalysistests:
+    if: |
+      github.repository == 'MDAnalysis/mdanalysis' &&
+      github.event_name == 'release' && github.event.action == 'published'
+    name: pypi_upload_mdanalysistests
+    environment:
+      name: deploy
+      url: https://pypi.org/p/mdanalysistests
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: [build_wheels, build_sdist, build_sdist_tests]
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: dist
+
+      - name: move_test_dist
+        run: |
+          mkdir -p testsuite/dist
+          mv dist/MDAnalysisTests-* testsuite/dist
+
       - name: upload_tests
         uses: pypa/gh-action-pypi-publish@v1.18.10
         with:
@@ -183,7 +237,7 @@ jobs:
     name: testpypi check
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
-    needs: upload_testpypi
+    needs: [upload_testpypi_mdanalysis, upload_testpypi_mdanalysistests]
     strategy:
       fail-fast: false
       matrix: