Don't accept Replicate API tokens for CLI login #68

	---
	name: PyPI package

	on:
	push:
	branches: [main]
	tags: ["v[0-9]+.[0-9]+.[0-9]+*"]
	workflow_dispatch:

	permissions:
	attestations: write
	contents: read
	id-token: write

	jobs:
	build-package:
	name: Build & verify package
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # needed for setuptools_scm version determination
	# HACK: for now, disable local versions so we can push to Test PyPI on main
	- name: Disable local version
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	run: \|
	sed -i '/\[tool\.setuptools_scm\]/a local_scheme = "no-local-version"' pyproject.toml
	git update-index --assume-unchanged pyproject.toml
	- uses: hynek/build-and-inspect-python-package@v2
	with:
	attest-build-provenance-github: 'true'

	release-test-pypi:
	name: Publish dev package to test.pypi.org
	if: github.repository_owner == 'replicate' && github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	needs: build-package
	steps:
	- name: Download packages
	uses: actions/download-artifact@v4
	with:
	name: Packages
	path: dist
	- name: Upload package to Test PyPI
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	repository-url: https://test.pypi.org/legacy/

	release-pypi:
	name: Publish released package to pypi.org
	if: github.repository_owner == 'replicate' && startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-latest
	needs: build-package
	steps:
	- name: Download packages
	uses: actions/download-artifact@v4
	with:
	name: Packages
	path: dist
	- name: Upload package to PyPI
	uses: pypa/gh-action-pypi-publish@release/v1

Provide feedback