CI: set up workflow_dispatch and skips for trusted publishing

Author: rgommers

.github/workflows/wheels.yml

@@ -14,9 +14,15 @@ on:
       - main
       - maintenance/**
   push:
-    tags:
-      - v*
+    branches:
+      - main  # FOR TESTING ONLY
   workflow_dispatch:
+    inputs:
+      environment:
+        description: Which PyPI environment to upload to, if any
+        required: true
+        type: choice
+        options: ["none", "testpypi", "pypi"]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -68,7 +74,8 @@ jobs:
             python: "cp314t"
 
     env:
-      IS_32_BIT: ${{ matrix.buildplat[1] == 'win32' }}
+      IS_32_BIT: ${{ matrix.buildplat[1] == 'win32' }}  # used in a cibw_*.sh script
+
     steps:
       - name: Checkout numpy-release
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -135,12 +142,12 @@ jobs:
           CIBW_BUILD: ${{ matrix.python }}-${{ matrix.buildplat[1] }}
         run: |
           python -m pip install cibuildwheel==3.1.0
-          python -m cibuildwheel numpy-src --config-file cibuildwheel.toml --output-dir ./wheelhouse
+          python -m cibuildwheel numpy-src --config-file cibuildwheel.toml --output-dir ./dist
 
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: ${{ matrix.python }}-${{ matrix.buildplat[1] }}-${{ matrix.buildplat[2] }}
-          path: ./wheelhouse/*.whl
+          path: ./dist/*.whl
 
   build_sdist:
     name: Build sdist
@@ -171,36 +178,47 @@ jobs:
           path: ./dist/*
 
   testpypi-publish:
-    name: Upload release to TestPyPI
-    if: # TODO - add a release True/False? and on `main`?
+    name: Publish release to TestPyPI
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     environment:
-      name: pypi
-      url: https://pypi.org/p/numpy
+      name: testpypi
+      url: https://test.pypi.org/p/numpy
     permissions:
-      id-token: write
+      id-token: write  # mandatory for trusted publishing
     steps:
-      # TODO: retrieve your distributions here
+      - name: Download sdist and wheels
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v.4.3.0
+        with:
+          path: dist
 
-    - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
-      with:
-        print-hash: true
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+          print-hash: true
+          attestations: true
 
   pypi-publish:
-    name: Upload release to PyPI
+    name: Publish release to PyPI
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi'
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
     environment:
       name: pypi
       url: https://pypi.org/p/numpy
     permissions:
-      id-token: write
+      id-token: write  # mandatory for trusted publishing
     steps:
-      # TODO: retrieve your distributions here
+      - name: Download sdist and wheels
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v.4.3.0
+        with:
+          path: dist
 
-    - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
-      with:
-        print-hash: true
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
+        with:
+          print-hash: true
+          attestations: true