Hash pin GitHub Actions #430

	name: Build & maybe upload PyPI package

	on:
	push:
	pull_request:
	release:
	types:
	- published
	workflow_dispatch:

	permissions: {}

	env:
	FORCE_COLOR: 1

	jobs:
	# Always build & lint package.
	build-package:
	name: Build & verify package
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

	- name: Compile translations
	run: \|
	pip install --upgrade pip
	pip install -r requirements.txt
	python babel_runner.py compile

	- uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0

	# Upload to real PyPI on GitHub Releases.
	release-pypi:
	name: Publish to PyPI
	environment: release-pypi
	# Only run for published releases.
	if: \|
	github.repository_owner == 'python'
	&& github.event.action == 'published'
	runs-on: ubuntu-latest
	needs: build-package

	permissions:
	id-token: write

	steps:
	- name: Download packages built by build-and-inspect-python-package
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
	with:
	name: Packages
	path: dist

	- name: Upload package to PyPI
	uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

Provide feedback