Fixes in the PyPI publish workflow

I separated the PyPI and Test PyPI worflows in two separate files (and
also two different GitHub environments) for ease of configuration and
security. Added better event checks (on tag push and push to master)
The publishing to Test PyPI on each merge requires another step to add a
timestamp to the version number otherwise the upload fails.

.github/workflows/publish-pypi.yml

@@ -1,12 +1,15 @@
-name: Publish to PyPI and TestPyPI
+name: Publish to PyPI
 
-on: push
+# Publish to PyPI when a tag is pushed
+on:
+  push:
+    tags:
+      - 'ckan-**'
 
 jobs:
   build:
     name: Build distribution
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python
@@ -22,15 +25,13 @@ jobs:
     - name: Build a binary wheel and a source tarball
       run: python3 -m build
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: python-package-distributions
         path: dist/
 
   publish-to-pypi:
     name: Publish Python distribution on PyPI
-    # Publish to PyPI when pushing a tag
-    if: startsWith(github.ref, 'refs/tags/')
     needs:
     - build
     runs-on: ubuntu-latest
@@ -41,32 +42,9 @@ jobs:
       id-token: write
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-
-  publish-to-testpypi:
-    name: Publish Python distribution on TestPyPI
-    # Publish to Test PyPI when a pull request is merged
-    if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
-    needs:
-    - build
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://test.pypi.org/p/ckan
-    permissions:
-      id-token: write
-    steps:
-    - name: Download all the dists
-      uses: actions/download-artifact@v3
-      with:
-        name: python-package-distributions
-        path: dist/
-    - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        repository-url: https://test.pypi.org/legacy/

.github/workflows/publish-test-pypi.yml

@@ -0,0 +1,56 @@
+name: Publish to TestPyPI
+
+# Publish to Test PyPI when a pull request is merged to master
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.9"
+    - name: Add timestamp to version number
+      run: |
+        TIMESTAMP=$(date +"%Y%m%d%H%M")
+        sed -E -i 's/__version__ = "(.*)"$/__version__ = "\1.post'$TIMESTAMP'"/' ckan/__init__.py
+    - name: Install pypa/build
+      run: >-
+        python3 -m
+        pip install
+        build
+        --user
+    - name: Build a binary wheel and a source tarball
+      run: python3 -m build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish-to-testpypi:
+    name: Publish Python distribution on TestPyPI
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/ckan
+    permissions:
+      id-token: write
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/