echo

Author: ejfine

template/.github/workflows/publish.yaml.jinja

@@ -160,12 +160,14 @@ jobs:
           . .devcontainer/code-artifact-auth.sh
           uv publish --verbose --index code-artifact-primary --username aws --password "$TWINE_PASSWORD"
 
-{% endraw %}{% endif %}{% raw %}
-      - name: Publish distribution to PyPI
+{% endraw %}{% else %}{% raw %}
+      - name: Publish distribution to Test PyPI
         uses: pypa/gh-action-pypi-publish@v1.12.4
         with:
           attestations: false
           repository-url: https://test.pypi.org/legacy/
+{% endraw %}{% endif %}{% raw %}
+
 
   install-from-staging:
     name: Install package from staging registry
@@ -178,7 +180,7 @@ jobs:
           python-version: {% endraw %}{{ python_version }}{% raw %}
       - name: Install from staging registry
         run: pip install -i https://test.pypi.org/simple/ {% endraw %}{{ package_name | replace('_', '-') }}{% raw %}==${{ needs.get-values.outputs.package_version }}
-      - name: Confirm library can be importde successfully
+      - name: Confirm library can be imported successfully
         run: python -c "import {% endraw %}{{ package_name }}{% raw %}"
 
   create-tag:
@@ -195,4 +197,52 @@ jobs:
       - name: Confirm tag not already present
         run: python3 ./.github/workflows/git_tag.py --confirm-tag-not-present
       - name: Create tag
-        run: python3 ./.github/workflows/git_tag.py --push-tag-to-remote{% endraw %}
+        run: python3 ./.github/workflows/git_tag.py --push-tag-to-remote
+
+  publish-to-primary:
+    name: Publish Python distribution to Primary Package Registry
+    needs: [ build ]
+    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
+    environment:
+      name: pypi
+      url: https://pypi.org/p/{% endraw %}{{ package_name | replace('_', '-') }}{% raw %}
+    permissions:
+      attestations: write
+      id-token: write
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@{% endraw %}{{ gha_download_artifact }}{% raw %}
+        with:
+          name: python-package-distributions
+          path: dist/
+{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
+      - name: OIDC Auth for Publishing to CodeArtifact
+        uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
+        with:
+          role-to-assume: arn:aws:iam::{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}:role/GHA-CA-Primary-{% endraw %}{{ repo_name }}{% raw %}
+          aws-region: {% endraw %}{{ aws_org_home_region }}{% raw %}
+
+      - name: Publish distribution to Code Artifact
+        run: |
+          . .devcontainer/code-artifact-auth.sh
+          uv publish --verbose --index code-artifact-primary --username aws --password "$TWINE_PASSWORD"
+
+{% endraw %}{% else %}{% raw %}
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.12.4
+        with:
+          attestations: false{% endraw %}{% endif %}{% raw %}
+
+  install-from-primary:
+    name: Install package from primary registry
+    needs: [ publish-to-primary, get-values ]
+    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
+    steps:
+      - name: Setup python
+        uses: actions/setup-python@{% endraw %}{{ gha_setup_python }}{% raw %}
+        with:
+          python-version: {% endraw %}{{ python_version }}{% raw %}
+      - name: Install from primary registry
+        run: pip install {% endraw %}{{ package_name | replace('_', '-') }}{% raw %}==${{ needs.get-values.outputs.package_version }}
+      - name: Confirm library can be imported successfully
+        run: python -c "import {% endraw %}{{ package_name }}{% raw %}"{% endraw %}