chore: harden release workflow against supply chain attacks

.github/workflows/ci.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: wagoid/[email protected].4
+      - uses: wagoid/[email protected].5
 
   test:
     strategy:
@@ -61,46 +61,113 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
-  release:
+  test_release:
     needs:
       - test
       - lint
       - commitlint
 
     runs-on: ubuntu-latest
-    environment: release
+    environment: test_release
     concurrency: release
-    permissions:
-      id-token: write
-      contents: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ github.head_ref || github.ref_name }}
 
-      # Do a dry run of PSR
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      # Dry run of PSR to build the distribution
       - name: Test release
         uses: python-semantic-release/[email protected]
         if: github.ref_name != 'main'
         with:
           root_options: --noop
 
-      # On main branch: actual PSR + upload to PyPI & GitHub
+      - uses: snok/[email protected]
+      - name: Install Dependencies
+        run: poetry install --only main,test_build
+        shell: bash
+
+      - name: Test build of distribution packages
+        shell: bash
+        run: |
+          poetry build
+          poetry run python -Im twine check --strict dist/*
+
+  check_if_should_release:
+    # This is a dummy step to avoid starting the release step which will
+    # trigger a notification when the pypi env needs to be used and we
+    # don't want to do that unless we're actually releasing.
+    needs:
+      - test
+      - lint
+      - commitlint
+
+    if: github.ref_name == 'main' && !startsWith(github.event.pull_request.title,'chore:') && !startsWith(github.event.head_commit.message,'chore:')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dummy
+        run: |
+          echo "GitHub requires the step do something, so we're just going to echo something here."
+
+  build_release:
+    needs:
+      - check_if_should_release
+
+    runs-on: ubuntu-latest
+    outputs:
+      released: ${{ steps.release.outputs.released }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      # On main branch: Call PSR to build the distribution
       - name: Release
         uses: python-semantic-release/[email protected]
         id: release
-        if: github.ref_name == 'main'
+
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  release:
+    needs:
+      - build_release
+
+    runs-on: ubuntu-latest
+    environment: release
+    concurrency: release
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        if: steps.release.outputs.released == 'true'
+        if: needs.build_release.outputs.released == 'true'
 
       - name: Publish package distributions to GitHub Releases
-        uses: python-semantic-release/upload-to-gh-release@main
-        if: steps.release.outputs.released == 'true'
+        uses: python-semantic-release/upload-to-gh-release@1eeda76de33f20e9341a93b0e697c79773c6914c
+        if: needs.build_release.outputs.released == 'true'
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}