ci(workflows): bump actions, setup trusted publish on pypi & add py3.15 on experimental (#3)

- Update github actions
- Change publish action to support OIDC trusted publish on pypi
- Add py3.15 on expirimental (and pass py3.14 on supported env)

Author: manawasp

.github/workflows/deploy-docs.yml

@@ -16,39 +16,38 @@ jobs:
     name: Build docs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
 
-    - uses: actions/setup-python@v5
-      with:
-        python-version: '3.13'
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
 
-    - name: Install dependencies
-      run: pip install -r requirements.txt
+      - name: Install dependencies
+        run: pip install -r requirements.txt
 
-    - name: Build docs
-      run: scripts/build-docs.sh
+      - name: Build docs
+        run: scripts/build-docs.sh
 
-    - name: Upload artifacts
-      uses: actions/upload-pages-artifact@v3
-      with:
-        # Upload built docs
-        path: "./site"
+      - name: Upload artifacts
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: "./site"
   deploy:
     name: Deploy docs
     if: github.event_name == 'release' && github.event.action == 'created'
     needs: build
     runs-on: ubuntu-latest
     # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
     permissions:
-      pages: write      # to deploy to Pages
-      id-token: write   # to verify the deployment originates from an appropriate source
+      pages: write
+      id-token: write
     # Deploy to the github-pages environment
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
-    - uses: actions/deploy-pages@v4
-      id: deployment
-      name: "Deploy to GitHub Pages"
+      - uses: actions/deploy-pages@v4
+        id: deployment
+        name: "Deploy to GitHub Pages"

.github/workflows/publish.yml

@@ -5,36 +5,40 @@ on:
   release:
     types: [created]
     branches:
-      - 'master'
+      - "master"
 
 jobs:
   build:
     name: Build distributable files
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     steps:
-      - name: 'Checkout source repository'
+      - name: "Checkout source repository"
         uses: actions/checkout@v4
         with:
-            fetch-depth: 0
+          fetch-depth: 0
 
       - uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
 
       - name: Install build dependencies
         run: pip install build twine
 
-      - name: 'Build package'
+      - name: "Build package"
         run: scripts/build.sh
 
       - name: Upload build artifacts
         uses: actions/upload-artifact@v4
         with:
-          path: 'dist/*'
+          path: "dist/*"
 
   upload_pypi:
     name: Upload packages
-    needs: ['build']
-    runs-on: 'ubuntu-latest'
+    needs: ["build"]
+    runs-on: "ubuntu-latest"
     if: github.event_name == 'release' && github.event.action == 'created'
+    permissions:
+      id-token: write
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v4
@@ -44,6 +48,3 @@ jobs:
 
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: '__token__'
-          password: '${{ secrets.PYPI_API_TOKEN }}'

.github/workflows/tests.yml

@@ -26,16 +26,17 @@ jobs:
           - "3.11"
           - "3.12"
           - "3.13"
-        experimental: [ false ]
+          - "3.14"
+        experimental: [false]
         include:
-          - python-version: "~3.14.0-0"
+          - python-version: "~3.15.0-0"
             experimental: true
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
-            fetch-depth: 0
-      - uses: "actions/setup-python@v4"
+          fetch-depth: 0
+      - uses: "actions/setup-python@v5"
         with:
           python-version: "${{ matrix.python-version }}"
           cache: "pip"
@@ -56,16 +57,16 @@ jobs:
       - name: Enforce coverage
         uses: codecov/codecov-action@v4
         with:
-            token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}
 
-  check:  # This job does nothing and is only used for the branch protection
+  check: # This job does nothing and is only used for the branch protection
     name: ✅ Ensure the required checks passing
     if: always()
     needs:
       - tests
     runs-on: ubuntu-latest
     steps:
-    - name: Decide whether the needed jobs succeeded or failed
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

pyproject.toml

@@ -40,6 +40,7 @@ classifiers = [
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Programming Language :: Python :: Implementation :: CPython",
     "Programming Language :: Python :: Implementation :: PyPy",
     "Operating System :: POSIX",