Update test_package_build.yml

Author: edeno

.github/workflows/test_package_build.yml

@@ -2,95 +2,175 @@ name: Test building package and publish
 
 on:
   push:
-    branches:
-      - master
-    tags:
-      - "*"
+    branches: [ master ]   # add 'main' if you use it
+    tags: [ "*" ]
   pull_request:
-    branches:
-      - master
+    branches: [ master ]
+  workflow_dispatch:
+
+# Auto-cancel in-progress runs for the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Principle of least privilege (override per-job if needed)
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash
+
 jobs:
   build:
+    name: Build sdist/wheel + archive
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
-      - run: pip install --upgrade build twine
+          cache: "pip"
+
+      - name: Install build tooling
+        run: |
+          python -V
+          pip install --upgrade pip
+          pip install build twine
+
       - name: Build sdist and wheel
         run: python -m build
-      - run: twine check dist/*
+
+      - name: Check artifacts with twine
+        run: twine check dist/*
+
       - name: Upload sdist and wheel artifacts
         uses: actions/upload-artifact@v4
         with:
           name: dist
           path: dist/
+          if-no-files-found: error
+
       - name: Build git archive
-        run: mkdir archive && git archive -v -o archive/archive.tgz HEAD
+        run: |
+          mkdir -p archive
+          git archive -v -o archive/archive.tgz HEAD
+
       - name: Upload git archive artifact
         uses: actions/upload-artifact@v4
         with:
           name: archive
           path: archive/
+          if-no-files-found: error
+
   test-package:
+    name: Install & test from ${{ matrix.package }} on py${{ matrix.python }}
     runs-on: ubuntu-latest
-    needs: [build]
+    needs: [ build ]
     strategy:
+      fail-fast: false
       matrix:
-        package: ['wheel', 'sdist', 'archive']
+        python: [ "3.10", "3.11" ]
+        package: [ "wheel", "sdist", "archive" ]
+
     steps:
-      - name: Download sdist and wheel artifacts
+      - name: Checkout (for notebook test files)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download sdist/wheel artifacts
         if: matrix.package != 'archive'
         uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist/
+
       - name: Download git archive artifact
         if: matrix.package == 'archive'
         uses: actions/download-artifact@v4
         with:
           name: archive
           path: archive/
-      - uses: actions/setup-python@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          python-version: "3.10"
+          python-version: ${{ matrix.python }}
+          cache: "pip"
+
       - name: Display Python version
         run: python -c "import sys; print(sys.version)"
-      - name: Update pip
+
+      - name: Upgrade pip
         run: pip install --upgrade pip
-      - name: Install wheel
+
+      - name: Install from wheel
         if: matrix.package == 'wheel'
         run: pip install dist/*.whl
-      - name: Install sdist
+
+      - name: Install from sdist
         if: matrix.package == 'sdist'
         run: pip install dist/*.tar.gz
-      - name: Install archive
+
+      - name: Install from git archive (PEP 517 source tree)
         if: matrix.package == 'archive'
         run: pip install archive/archive.tgz
+
       - name: Install test extras
-        run: pip install track_linearization[test]
+        run: pip install "track_linearization[test]"
+
       - name: Run tests
         run: pytest --doctest-modules -v --pyargs track_linearization
-      - name: Test notebook
-        shell: bash -l {0}
+
+      - name: Execute example notebook
         run: |
-          jupyter nbconvert --to notebook --ExecutePreprocessor.kernel_name=python3 --execute notebooks/test_linearization.ipynb
+          jupyter nbconvert \
+            --to notebook \
+            --inplace \
+            --ExecutePreprocessor.kernel_name=python3 \
+            --ExecutePreprocessor.timeout=1800 \
+            --execute notebooks/test_linearization.ipynb
+
+      - name: Upload executed notebook (always)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: executed-notebook-${{ matrix.package }}-py${{ matrix.python }}
+          path: notebooks/test_linearization.ipynb
+          if-no-files-found: warn
+
   publish:
+    name: Publish to PyPI
     runs-on: ubuntu-latest
-    needs: [test-package]
+    needs: [ test-package ]
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    # If you use PyPI Trusted Publishing (OIDC), uncomment permissions below and
+    # remove the 'user/password' inputs from the publish step.
+    # permissions:
+    #   id-token: write
+    #   contents: read
     steps:
-      - uses: actions/download-artifact@v4
+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist/
-      - uses: pypa/gh-action-pypi-publish@release/v1
+
+      # Option A: API Token (what you have now)
+      - name: Publish with API token
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
           user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          password: ${{ secrets.PYPI_API_TOKEN }}
+
+      # Option B (preferred): Trusted Publishing (OIDC)
+      # 1) Enable Trusted Publishers on your PyPI project
+      # 2) Remove the step above and uncomment the step below
+      # - name: Publish via OIDC
+      #   uses: pypa/gh-action-pypi-publish@release/v1