workflows: automatically publish releases to PyPI

bgilbert · bgilbert · commit d8cfc7da88ed · 2023-11-19T06:39:59.000-06:00
Use PyPI's trusted publisher mechanism, which is configured to require
deploying via a GitHub environment, which is configured to require manual
approval.

Signed-off-by: Benjamin Gilbert &lt;bgilbert@cs.cmu.edu&gt;
diff --git a/.github/ISSUE_TEMPLATE/release.md b/.github/ISSUE_TEMPLATE/release.md
@@ -2,10 +2,10 @@
 
 - [ ] Update `CHANGELOG.md` and version in `openslide/_version.py`
 - [ ] Create and push signed tag
-- [ ] `git clean -dxf && mkdir dist`
-- [ ] Find the [workflow run](https://github.com/openslide/openslide-python/actions/workflows/python.yml) for the tag; download its dist and docs artifacts
-- [ ] `unzip /path/to/downloaded/openslide-python-dist.zip && mv openslide-python-dist-*/* dist/`
-- [ ] `twine upload dist/*`
+- [ ] Find the [workflow run](https://github.com/openslide/openslide-python/actions/workflows/python.yml) for the tag
+  - [ ] Once the build finishes, approve deployment to PyPI
+  - [ ] Download the docs artifact
+- [ ] Verify that the workflow created a [PyPI release](https://pypi.org/p/openslide-python) with a description, source tarball, and wheels
 - [ ] Verify that the workflow created a [GitHub release](https://github.com/openslide/openslide-python/releases) with release notes, a source tarball, and wheels
 - [ ] `cd` into website checkout; `rm -r api/python && unzip /path/to/downloaded/openslide-python-docs.zip && mv openslide-python-docs-* api/python`
 - [ ] Update website: `_data/releases.yaml`, `_includes/news.md`
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -222,16 +222,24 @@ jobs:
   release:
     name: Release
     if: github.ref_type == 'tag'
+    environment:
+      name: pypi
+      url: https://pypi.org/p/openslide-python
     needs: [pre-commit, tests, windows]
     runs-on: ubuntu-latest
     concurrency: release-${{ github.ref }}
     permissions:
       contents: write
+      id-token: write
     steps:
     - name: Download artifacts
       uses: actions/download-artifact@v3
       with:
         name: ${{ needs.pre-commit.outputs.dist-base }}
+    - name: Release to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: ${{ needs.pre-commit.outputs.dist-base }}
     - name: Release to GitHub
       env:
         GITHUB_TOKEN: ${{ github.token }}
