CI: add Trusted Publishing job to wheels workflow (#61669)

evgenii · evgenii · commit a419d40e092a · 2025-06-26T16:53:20.000+03:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,26 @@
+name: Release – upload to TestPyPI with Trusted Publishing
+
+on:
+  push:
+    tags: ["v*"]          # fires only on tag pushes
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi     
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      - name: Publish to TestPyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -219,3 +219,40 @@ jobs:
           source ci/upload_wheels.sh
           set_upload_vars
           upload_wheels
+
+# ---------------------------------------------------------------
+# PUBLISH – upload all wheels & sdist to Test PyPI via OIDC
+# ---------------------------------------------------------------
+  publish:
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - build_sdist
+      - build_wheels
+    runs-on: ubuntu-latest
+
+    environment:
+      name: testpypi                # ← keep for dry-run; change to pypi before PR
+    permissions:
+      id-token: write               # OIDC token for Trusted Publishing
+      contents: read
+
+    steps:
+      # 1. Pull every artifact produced by the two upstream jobs
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist                # all files land in ./dist/**
+
+      # 2. Move wheels & sdist into a flat 'upload' dir (action expects that)
+      - name: Collect files
+        run: |
+          mkdir -p upload
+          find dist -name '*.whl'   -exec mv {} upload/ \;
+          find dist -name '*.tar.gz' -exec mv {} upload/ \;
+
+      # 3. Publish to **Test PyPI** using Trusted Publishing
+      - name: Publish to TestPyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: upload
