Set permissions explicitly in GitHub Actions #408

	name: Packaging

	on:
	# Make sure packaging process is not broken
	push:
	branches: [master]
	pull_request:
	# Make a package for release
	release:
	types: [published]

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@v3
	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: 3.13
	- name: Install dependencies
	run: python -m pip install --upgrade build
	- name: Create packages
	run: python -m build
	- uses: actions/upload-artifact@v4
	with:
	name: tox-gh-actions-dist
	path: dist

	pypi-publish:
	needs:
	- build
	runs-on: ubuntu-latest
	if: github.event_name == 'release'
	environment: pypi
	permissions:
	id-token: write # Required for using pypa/gh-actions-pypi-publish
	steps:
	- uses: actions/checkout@v4
	- uses: actions/download-artifact@v4
	with:
	name: tox-gh-actions-dist
	path: dist
	- name: Publish package distributions to PyPI
	uses: pypa/gh-action-pypi-publish@release/v1

	github-release:
	needs:
	- build
	runs-on: ubuntu-latest
	if: github.event_name == 'release'
	environment: release
	permissions:
	contents: write # Required for uploading artifacts to GitHub release
	steps:
	- uses: actions/checkout@v4
	- uses: actions/download-artifact@v4
	with:
	name: tox-gh-actions-dist
	path: dist
	- name: Upload artifacts to GitHub release
	working-directory: ./dist
	env:
	GH_TOKEN: ${{ github.token }}
	run: gh release upload "${{ github.event.release.tag_name }}" ./*

Provide feedback