fix: Correct reference check in GitHub Actions publish to TestPyPI step (#640)

* More fixes to workflow in #639, only push to testpypi on pushes on master
* Only use scm if the current commit is not tagged
* Protect forks from publishing

Author: kratsg

.github/workflows/publish-package.yml

@@ -23,18 +23,20 @@ jobs:
       run: |
         python -m pip install pep517 --user
     - name: Build a binary wheel and a source tarball
+      env:
+        IS_COMMIT_TAGGED: >-
+          ${{ startsWith(github.ref, 'refs/tags') }}
       run: |
         python -m pep517.build --source --binary --out-dir dist/ .
     - name: Publish distribution 📦 to Test PyPI
-      if: github.event_name == 'push'
+      # every PR will trigger a push event on master, so check the push event is actually coming from master
+      if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'diana-hep/pyhf'
       uses: pypa/[email protected]
-      env:
-        IS_TESTPYPI: ${{ true }}
       with:
         password: ${{ secrets.test_pypi_password }}
         repository_url: https://test.pypi.org/legacy/
     - name: Publish distribution 📦 to PyPI
-      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && github.repository == 'diana-hep/pyhf'
       uses: pypa/[email protected]
       with:
         password: ${{ secrets.pypi_password }}

setup.py

@@ -9,7 +9,7 @@
     long_description = readme_md.read()
 
 extras_require = {
-    'tensorflow': ['tensorflow~=1.15', 'tensorflow-probability~=0.8', 'numpy~=1.16',],
+    'tensorflow': ['tensorflow~=1.15', 'tensorflow-probability~=0.8', 'numpy~=1.16'],
     'torch': ['torch~=1.2'],
     'xmlio': ['uproot'],
     'minuit': ['iminuit'],
@@ -50,22 +50,20 @@
 
 def _is_test_pypi():
     """
-    Determine if the CI environment has IS_TESTPYPI defined and
-    set to true (c.f. .github/workflows/publish-package.yml)
-
+    Determine if the CI environment has IS_COMMIT_TAGGED defined and
+    set to true (c.f. .github/workflows/publish-package-to-pypi.yml)
     The use_scm_version kwarg accepts a callable for the local_scheme
     configuration parameter with argument "version". This can be replaced
     with a lambda as the desired version structure is {next_version}.dev{distance}
     c.f. https://github.com/pypa/setuptools_scm/#importing-in-setuppy
-
     As the scm versioning is only desired for TestPyPI, for depolyment to PyPI the version
     controlled through bumpversion is used.
     """
     from os import getenv
 
     return (
         {'local_scheme': lambda version: ''}
-        if getenv('IS_TESTPYPI') == 'true'
+        if getenv('IS_COMMIT_TAGGED') == 'false'
         else False
     )