[backport 2.3.x] CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (pandas-dev#61669) (pandas-dev#61718) (pandas-dev#62395)

jorisvandenbossche · EvMossan · EpicWink · web-flow · commit 4264ee18af6d · 2025-09-22T09:51:25.000-07:00
Co-authored-by: Evgenii Mosikhin &lt;147685598+EvMossan@users.noreply.github.com&gt;
Co-authored-by: Evgenii Mosikhin &lt;147685598+evgmosme@users.noreply.github.com&gt;
Co-authored-by: Laurie O &lt;laurie_opperman@hotmail.com&gt;
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -13,6 +13,8 @@
 name: Wheel builder
 
 on:
+  release:
+    types: [published]
   schedule:
   # 3:27 UTC every day
   - cron: "27 3 * * *"
@@ -208,3 +210,41 @@ jobs:
           source ci/upload_wheels.sh
           set_upload_vars
           upload_wheels
+
+  publish:
+    if: >
+      github.repository == 'pandas-dev/pandas' &&
+      github.event_name == 'release' &&
+      startsWith(github.ref, 'refs/tags/v')
+
+    needs:
+      - build_sdist
+      - build_wheels
+
+    runs-on: ubuntu-latest
+
+    environment:
+      name: pypi
+    permissions:
+      id-token: write         # OIDC for Trusted Publishing
+      contents: read
+
+    steps:
+      - name: Download all artefacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist          # everything lands in ./dist/**
+
+      - name: Collect files
+        run: |
+          mkdir -p upload
+          # skip any wheel that contains 'pyodide'
+          find dist -name '*pyodide*.whl' -prune -o \
+                    -name '*.whl'   -exec mv {} upload/ \;
+          find dist -name '*.tar.gz' -exec mv {} upload/ \;
+
+      - name: Publish to **PyPI** (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: upload
+          skip-existing: true
diff --git a/doc/source/development/maintaining.rst b/doc/source/development/maintaining.rst
@@ -467,9 +467,10 @@ which will be triggered when the tag is pushed.
    - Set as the latest release: Leave checked, unless releasing a patch release for an older version
      (e.g. releasing 1.4.5 after 1.5 has been released)
 
-5. Upload wheels to PyPI::
-
-    twine upload pandas/dist/pandas-<version>*.{whl,tar.gz} --skip-existing
+5. Verify wheels are uploaded automatically by GitHub Actions
+   via `**Trusted Publishing** <https://docs.pypi.org/trusted-publishers/>`__
+   when the GitHub `*Release* <https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases>`__
+   is published. Do not run ``twine upload`` manually.
 
 6. The GitHub release will after some hours trigger an
    `automated conda-forge PR <https://github.com/conda-forge/pandas-feedstock/pulls>`_.
