chore: Fix GitHub Actions findings with zizmor #350

	name: Build and upload to PyPI

	on:
	pull_request:
	push:
	branches: [main]
	release:
	types:
	- published

	jobs:
	build_wheels:
	name: Build wheels on ${{ matrix.os }}
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	# macos-13 is pre-ARM
	os: [ ubuntu-24.04, windows-2022, macos-13, macos-latest ]

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Build wheels
	uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc # v3.3.0
	env:
	CIBW_SKIP: pp*

	- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: pytsql-wheel-${{ matrix.os }}
	path: ./wheelhouse/*.whl
	if-no-files-found: error

	build_sdist:
	name: Build source distribution
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Build sdist
	run: pipx run build --sdist

	- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: pytsql-sdist
	path: dist/*.tar.gz
	if-no-files-found: error

	upload_pypi:
	name: Upload to PyPI
	needs: [build_wheels, build_sdist]
	environment: pypi
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: write
	if: github.event_name == 'release' && github.event.action == 'published'
	steps:
	- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	pattern: pytsql-*
	merge-multiple: true
	path: dist

	- uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

Provide feedback