ci: guard publish; only run on tags that point to main

Author: gersmann

.github/workflows/publish.yml

@@ -10,8 +10,34 @@ permissions:
   id-token: write
 
 jobs:
+  guard:
+    name: Guard (tag points to main?)
+    runs-on: ubuntu-latest
+    outputs:
+      publish: ${{ steps.check.outputs.publish }}
+    steps:
+      - name: Checkout (shallow)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check if tag commit is on main
+        id: check
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: |
+          git fetch origin $DEFAULT_BRANCH --depth=1
+          if git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH"; then
+            echo "publish=true" >> "$GITHUB_OUTPUT"
+            echo "Tag commit is on $DEFAULT_BRANCH; will publish."
+          else
+            echo "publish=false" >> "$GITHUB_OUTPUT"
+            echo "Tag commit is NOT on $DEFAULT_BRANCH; skipping publish."
+          fi
+
   build-wheels:
     name: Build native wheels
+    needs: guard
+    if: needs.guard.outputs.publish == 'true'
     continue-on-error: ${{ matrix.allow-failure == true }}
     strategy:
       fail-fast: false
@@ -61,6 +87,8 @@ jobs:
 
   build-sdist:
     name: Build sdist
+    needs: guard
+    if: needs.guard.outputs.publish == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -91,7 +119,8 @@ jobs:
 
   publish:
     name: Publish to PyPI (Trusted Publishing)
-    needs: [build-wheels, build-sdist]
+    needs: [guard, build-wheels, build-sdist]
+    if: needs.guard.outputs.publish == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts