From bee20426cdd1ac9cde2b1de5e3cd323cc3d649ff Mon Sep 17 00:00:00 2001
From: "george.robertson1" <50412379+georgeRobertson@users.noreply.github.com>
Date: Mon, 9 Mar 2026 11:44:44 +0000
Subject: [PATCH 1/2] ci: add pypi release ci script

---
 .github/workflows/ci_publish.yml | 59 ++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/ci_publish.yml

diff --git a/.github/workflows/ci_publish.yml b/.github/workflows/ci_publish.yml
new file mode 100644
index 0000000..3c7ed9e
--- /dev/null
+++ b/.github/workflows/ci_publish.yml
@@ -0,0 +1,59 @@
+name: CI Publish
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build dist
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install extra dependencies for a python install
+        run: |
+          sudo apt-get update
+          sudo apt -y install --no-install-recommends liblzma-dev libbz2-dev libreadline-dev
+
+      - name: Install asdf cli
+        uses: asdf-vm/actions/setup@v4
+
+      - name: Install software through asdf
+        uses: asdf-vm/actions/install@v4
+
+      - name: reshim asdf
+        run: asdf reshim
+
+      - name: ensure poetry using desired python version
+        run: poetry env use $(asdf which python)
+
+      - name: build wheels
+        run: make dist
+
+      - name: store wheels
+        uses: actions/upload-artifact@v5
+        with:
+          name: dve-wheels
+          path: dist/
+
+  publish-to-pypi:
+    name: Publish to PyPi
+    if: startsWith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: https://pypi.org/org/nhs/data-validation-engine
+    permissions:
+      id_token: write   # IMPORTANT: mandatory for trusted publishing
+    steps:
+      - name: download dist
+        uses: actions/download-artifact@v6
+        with:
+          name: dve-wheels
+          path: dist/
+
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@release/v1

From b4e0e14d4c5c26bb9d1fceac4296a9b54033942e Mon Sep 17 00:00:00 2001
From: "george.robertson1" <50412379+georgeRobertson@users.noreply.github.com>
Date: Mon, 9 Mar 2026 11:51:34 +0000
Subject: [PATCH 2/2] ci: lock 3rd party github actions to specific releases

---
 .github/workflows/ci_publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci_publish.yml b/.github/workflows/ci_publish.yml
index 3c7ed9e..e8d6f47 100644
--- a/.github/workflows/ci_publish.yml
+++ b/.github/workflows/ci_publish.yml
@@ -17,10 +17,10 @@ jobs:
           sudo apt -y install --no-install-recommends liblzma-dev libbz2-dev libreadline-dev
 
       - name: Install asdf cli
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47  # v4.0.1
 
       - name: Install software through asdf
-        uses: asdf-vm/actions/install@v4
+        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47  # v4.0.1
 
       - name: reshim asdf
         run: asdf reshim
@@ -56,4 +56,4 @@ jobs:
           path: dist/
 
       - name: publish
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0