ci: Add workflow for uploading wheels to PyPI (#44)

* Revise publishing workflow to build and test sdist and wheels using hynek/build-and-inspect-python-package and then to publish them to TestPyPI or PyPI using pypa/gh-action-pypi-publish using Trusted Publishers. - c.f. https://docs.pypi.org/trusted-publishers/ * The sdist and wheel building runs on pushes to master, pull requests, on a weekly CRON schedule, workflow dispatch, and on releases. * Publishing to TestPyPI occurs via workflow dispatch if the boolean input 'publish_testpypi' is manually set to 'true'. * Publishing to PyPI occurs on releases through publishing a GitHub release. Co-authored-by: Matthew Feickert <[email protected]>
thaler-lab · Oct 19, 2024 · 2946246 · 2946246
1 parent 72d29df
commit 2946246
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 50 deletions.
diff --git a/.github/workflows/build-wheels.yml b/.github/workflows/build-wheels.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,86 @@
+name: publish distributions
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  # Run weekly at 1:23 UTC
+  schedule:
+    - cron: '23 1 * * 0'
+  workflow_dispatch:
+    inputs:
+      publish_testpypi:
+        type: boolean
+        description: 'Publish to TestPyPI'
+        default: false
+  release:
+    types:
+      - published
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: hynek/build-and-inspect-python-package@v2
+
+  publish-testpypi:
+    needs: [dist]
+    environment:
+      name: testpypi
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'thaler-lab' && github.event_name == 'workflow_dispatch' && github.event.inputs.publish_testpypi == 'true'
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          print-hash: true
+
+  publish:
+    needs: [dist]
+    environment:
+      name: pypi
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'thaler-lab' && github.event_name == 'release' && github.event.action == 'published'
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
+
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: "dist/*"
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true
+          attestations: true