CI: add automatic publication to pypi.org and test.pypi.org

We want to reduce the potential for human error in our publication process
and also streamline the process for everyone with the permission to create
tags in the repository.

The CI job runs for new commits pushed to the master branch and newly
pushed tags, as long as the PUBLISH_PYPI GitHub Action variable is set
to "true".
This is to prevent CI runs on forked repository from failing because they
are not allowed to publish on pypi.org and test.pypi.org.
A fork that wants to use the publish logic just has to set the
PUBLISH_PYPI variable for their repository.

The job does not check out the git repository (hence why it does not use
the existing publication logic in the Makefile) and instead downloads
the artifacts generated by the build job.

All builds are uploaded to test.pypi.org (so they can be tested via pip
install) and tagged releases are uploaded to pypi.org as well.

Also remove the upload helpers from the Makefile to make it clear that
they are replaced by the automated process.

Signed-off-by: Leonard Göhrs <[email protected]>

.github/workflows/check-and-publish.yaml

@@ -0,0 +1,72 @@
+name: Check and Publish
+
+on: [push, pull_request]
+
+jobs:
+  codespell:
+    name: Codespell
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make qa-codespell
+
+  prettier:
+    name: Prettier
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: latest
+      - run: make qa-prettier
+
+  ruff:
+    name: Python Format and Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make qa-ruff
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # include tags and full history for setuptools_scm
+          fetch-depth: 0
+      - run: make build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+  publish:
+    name: Publish
+    if: |
+      ${{
+        github.event_name == 'push'
+        && vars.PUBLISH_PYPI == 'true'
+        && (startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/master')
+      }}
+    runs-on: ubuntu-latest
+    needs:
+      - codespell
+      - prettier
+      - ruff
+      - build
+    permissions:
+      id-token: write
+    steps:
+      - name: Download artifacts from build stage
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish distribution package to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+      - name: Publish distribution package to PyPI
+        if: ${{ startsWith(github.ref, 'refs/tags') }}
+        uses: pypa/gh-action-pypi-publish@release/v1

Makefile

@@ -37,10 +37,10 @@ $(PYTHON_PACKAGING_VENV)/.created:
 	$(PYTHON) -m venv $(PYTHON_PACKAGING_VENV) && \
 	. $(PYTHON_PACKAGING_VENV)/bin/activate && \
 	python3 -m pip install --upgrade pip && \
-	python3 -m pip install build twine && \
+	python3 -m pip install build && \
 	date > $(PYTHON_PACKAGING_VENV)/.created
 
-.PHONY: packaging-env build _release
+.PHONY: packaging-env build
 
 packaging-env: $(PYTHON_PACKAGING_VENV)/.created
 
@@ -49,10 +49,6 @@ build: packaging-env
 	rm -rf dist *.egg-info && \
 	python3 -m build
 
-_release: build
-	. $(PYTHON_PACKAGING_VENV)/bin/activate && \
-	twine upload dist/*
-
 # testing #####################################################################
 $(PYTHON_TESTING_ENV)/.created:
 	rm -rf $(PYTHON_TESTING_ENV) && \