Make python publish a separate job (#69)

Author: blink1073

README.md

@@ -310,27 +310,56 @@ Push the commit and tag to the source branch unless `dry_run` is set.
     dry_run: ${{ inputs.dry_run }}
 ```
 
-### Publish
+### Post-publish
 
-Handles tasks related to publishing Python packages, including
-signing `dist` file and publishing the `dist` files to PyPI.
+To be run after separately publishing the [Python package](https://github.com/pypa/gh-action-pypi-publish#trusted-publishing).
+Handles follow-up tasks related to publishing Python packages, including
+signing `dist` files and uploading report assets to S3.
 It will also push the following (dev) version to the source branch.
 It will create a draft GitHub release and attach the signature files.
-Finally, it will publish a report to the appropriate S3 bucket.
-If `dry_run` is set, nothing will be published or pushed.
+If `dry_run` is set, nothing will be pushed.
 
-```yaml
-- name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
-  with:
-    ...
+The jobs should look something like:
 
-- uses: mongodb-labs/drivers-github-tools/python/publish@v2
-  with:
-    version: ${{ inputs.version }}
-    following_version: ${{ inputs.following_version }}
-    version_bump_script: ./.github/scripts/bump-version.sh
-    product_name: winkerberos
-    token: ${{ github.token }}
-    dry_run: ${{ inputs.dry_run }}
-```
+```yaml
+publish:
+  name: Upload release to PyPI
+  runs-on: ubuntu-latest
+  environment: release
+  permissions:
+    id-token: write
+  steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: all-dist-${{ github.run_id }}
+        path: dist/
+    - name: Publish package distributions to PyPI
+      if: inputs.dry_run == 'false'
+      uses: pypa/gh-action-pypi-publish@release/v1
+
+post-publish:
+  needs: [publish]
+  name: Handle post-publish actions
+  runs-on: ubuntu-latest
+  environment: release
+  permissions:
+    id-token: write
+    contents: write
+    attestations: write
+    security-events: write
+  steps:
+  - name: Setup
+    uses: mongodb-labs/drivers-github-tools/setup@v2
+    with:
+      ...
+
+  - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
+    with:
+      version: ${{ inputs.version }}
+      following_version: ${{ inputs.following_version }}
+      version_bump_script: ./.github/scripts/bump-version.sh
+      product_name: winkerberos
+      token: ${{ github.token }}
+      dry_run: ${{ inputs.dry_run }}
+```

python/publish/action.yml renamed to python/post-publish/action.yml

@@ -1,6 +1,6 @@
 
-name: Publish Python
-description: Publish Assets and Report
+name: Python Post-Publish
+description: Perform post-release operations for Python Libraries
 inputs:
   version:
     description: The published version
@@ -76,26 +76,14 @@ runs:
     - name: Run GitHub Publish script
       shell: bash
       id: publish-script
-      run: ${{ github.action_path }}/publish.sh
+      run: ${{ github.action_path }}/post-publish.sh
       env:
         GH_TOKEN: ${{ inputs.token }}
         VERSION: ${{ inputs.version }}
         TAG_TEMPLATE: ${{ inputs.tag_template }}
         PRODUCT_NAME: ${{ inputs.product_name }}
         DRY_RUN: ${{ inputs.dry_run }}
         FOLLOWING_VERSION: ${{ inputs.following_version }}
-    # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi
-    - name: Publish distribution 📦 to PyPI
-      if: inputs.dry_run == 'false'
-      # Pinned due to https://github.com/pypa/gh-action-pypi-publish/issues/290
-      uses: pypa/[email protected]
-      with:
-        repository-url: ${{ inputs.repository_url }}
-    - name: Do Not Publish distribution 📦 to PyPI on Dry Run
-      if: inputs.dry_run == 'true'
-      shell: bash
-      run: |
-        echo "Dry run, not uploading to PyPI" >> $GITHUB_STEP_SUMMARY
     - uses: actions/attest-build-provenance@v1
       if: inputs.dry_run == 'false'
       with:

python/publish/handle_following_version.py renamed to python/post-publish/handle_following_version.py

@@ -34,8 +34,7 @@ runs:
     - name: Install hatch
       shell: bash
       working-directory: ${{ inputs.working_directory }}
-      # TODO: remove when #62 is fixed.
-      run: pipx install "hatch<1.27"
+      run: pipx install hatch
     - name: Check if we should push changes
       shell: bash
       run: |