Add a release workflow

Author: AA-Turner

.github/workflows/ci.yml

@@ -70,109 +70,3 @@ jobs:
         uses: codecov/codecov-action@v4
         with:
           flags: unittests
-
-  check:
-    if: always()
-    needs: [test, lint]
-    runs-on: ubuntu-latest
-    steps:
-    - name: Decide whether the needed jobs succeeded or failed
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}
-
-  build:
-    runs-on: ubuntu-latest
-    name: build
-    # only run on push to main and on release, or with tag
-    if: "success() && (startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'Full Build'))"
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3"
-
-      - name: Install build dependencies (pypa/build)
-        run: |
-          pip install -U pip
-          pip install build
-
-      - name: Build distribution
-        run: python -m build
-
-      - run: ls -altrh dist/
-        shell: bash
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: pypi_files
-          path: dist
-
-  inspect-pypi-assets:
-    needs: [build]
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: get dist artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: pypi_files
-          path: dist
-
-      - name: list dist files
-        run: |
-          ls -lh dist/
-          echo "`ls dist | wc -l` files"
-      - name: extract and list sdist file
-        run: |
-          mkdir sdist-files
-          tar -xvf dist/*.tar.gz -C sdist-files
-          tree -a sdist-files
-      - name: extract and list wheel file
-        run: |
-          ls dist/*.whl | head -n 1
-          python -m zipfile --list `ls dist/*.whl | head -n 1`
-
-  release:
-    needs: [build, check]
-    if: "success() && startsWith(github.ref, 'refs/tags/')"
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3"
-
-      - name: Install build dependencies (twine)
-        run: |
-          pip install -U pip
-          pip install twine
-
-      - name: get dist artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: pypi_files
-          path: dist
-
-      - name: Upload to PyPI
-        env:
-          TWINE_NON_INTERACTIVE: "true"
-          TWINE_USERNAME: "__token__"
-          TWINE_PASSWORD: "${{ secrets.pypi_token }}"
-        run: |
-          twine check dist/*
-          twine upload dist/*
-
-      - name: upload to github release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            dist/*
-          generate_release_notes: true

.github/workflows/create-release.yml

@@ -0,0 +1,90 @@
+name: Create release
+
+on:
+  push:
+    tags:
+    - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish-pypi:
+    runs-on: ubuntu-latest
+    name: PyPI Release
+    environment: release
+    permissions:
+      id-token: write  # for PyPI trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3"
+          cache: pip
+          cache-dependency-path: pyproject.toml
+
+      - name: Install build dependencies (pypa/build, twine)
+        run: |
+          pip install -U pip
+          pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Mint PyPI API token
+        id: mint-token
+        uses: actions/github-script@v7
+        with:
+          # language=JavaScript
+          script: |
+            // retrieve the ambient OIDC token
+            const oidc_request_token = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+            const oidc_request_url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+            const oidc_resp = await fetch(`${oidc_request_url}&audience=pypi`, {
+              headers: {Authorization: `bearer ${oidc_request_token}`},
+            });
+            const oidc_token = (await oidc_resp.json()).value;
+
+            // exchange the OIDC token for an API token
+            const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
+              method: 'post',
+              body: `{"token": "${oidc_token}"}` ,
+              headers: {'Content-Type': 'application/json'},
+            });
+            const api_token = (await mint_resp.json()).token;
+
+            // mask the newly minted API token, so that we don't accidentally leak it
+            core.setSecret(api_token)
+            core.setOutput('api-token', api_token)
+
+      - name: Upload to PyPI
+        env:
+          TWINE_NON_INTERACTIVE: "true"
+          TWINE_USERNAME: "__token__"
+          TWINE_PASSWORD: "${{ steps.mint-token.outputs.api-token }}"
+        run: |
+          twine check dist/*
+          twine upload dist/*
+
+  github-release:
+    runs-on: ubuntu-latest
+    name: GitHub release
+    environment: release
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get release version
+        id: get_version
+        uses: actions/github-script@v7
+        with:
+          script: core.setOutput('version', context.ref.replace("refs/tags/", ""))
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          name: "Release ${{ steps.get_version.outputs.version }}"
+          generate_release_notes: true