[build] release python with trusted publishing

[titusfortner]

Fixes #16082

💥 What does this PR do?

Python has not been publishing via CI for some reason, I tried a few ways to address it and couldn't figure it out, so I think this is the approach we need. I already did the update on pypi.org so this should work.

🔧 Implementation Notes

The alternative is to do what Ruby did and add this to the bazel.yml, but I figured using the the github action would be better:

      - name: Configure PyPI credentials via OIDC
        if: inputs.pypi-trusted-publishing
        run: |
          oidc_token=$(curl -sSfL \
            -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=pypi" \
            | python3 -c "import sys, json; print(json.load(sys.stdin)['value'])")
          pypi_token=$(curl -sSfL -X POST https://pypi.org/_/oidc/mint-token \
            -H "Content-Type: application/json" \
            --data "{\"token\": \"${oidc_token}\"}" \
            | python3 -c "import sys, json; print(json.load(sys.stdin)['token'])")
          echo "TWINE_PASSWORD=${pypi_token}" >> "$GITHUB_ENV"
          echo "TWINE_USERNAME=__token__" >> "$GITHUB_ENV"

🤖 AI assistance

• No substantial AI assistance used
• AI assisted (complete below)
  • Tool(s): Claude
  • What was generated:
  • I reviewed all AI output and can explain the change

💡 Additional Considerations

Probably should add a comment in the rake task that python:release is not used in CI for production releases

🔄 Types of changes

• New feature (non-breaking change which adds functionality and tests!)

[qodo-code-review]

Review Summary by Qodo

Implement trusted publishing for Python PyPI releases

✨ Enhancement

Walkthroughs

Description

• Implement trusted publishing for Python releases via PyPI OIDC
• Separate Python build and publish into dedicated workflow jobs
• Remove Python from general language matrix for independent handling
• Update workflow dependencies to include new publish-python job

File Changes

1. .github/workflows/release.yml ✨ Enhancement +35/-3

Separate Python publishing with OIDC trusted publishing

• Removed Python from the general language matrix to handle it separately
• Added new build-python job to build Python distributions with release config
• Added new publish-python job using PyPA's official GitHub Action for PyPI publishing with OIDC
 trusted publishing
• Updated docs job dependencies to include publish-python and handle its success/skip states
• Updated on-release-failure job to depend on publish-python and report its status in Slack
 notifications

.github/workflows/release.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Missing artifact download perms ✓ Resolved 🐞 Bug ☼ Reliability

Description

The publish-python job sets job-level permissions to only id-token: write, overriding the workflow
default and stripping all GITHUB_TOKEN scopes. As a result, actions/download-artifact@v4 may be
unable to download pypi-distributions, causing the PyPI publish step to fail.

Code

.github/workflows/release.yml[R100-108]

+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Download Python distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: pypi-distributions
+          path: dist/

Evidence

The workflow sets default token permissions (contents: read), but publish-python overrides
permissions to only id-token: write while still using actions/download-artifact. Elsewhere in
the repo, workflows that download artifacts explicitly grant token scopes (e.g., actions: read)
when using download-artifact.

.github/workflows/release.yml[15-17]
.github/workflows/release.yml[96-110]
.github/workflows/release.yml[62-68]
.github/workflows/commit-changes.yml[33-52]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`publish-python` sets `permissions` to only `id-token: write`, which overrides the workflow defaults and leaves the job’s `GITHUB_TOKEN` without the scopes that `actions/download-artifact@v4` may require to fetch artifacts. This can break Python publishing because the `pypi-distributions` artifact may not download.

## Issue Context
This workflow already uses a broader permission set in other jobs that perform authenticated GitHub API operations (including artifact downloads).

## Fix Focus Areas
- .github/workflows/release.yml[96-110]

## Suggested change
Update `publish-python` permissions to include the minimal required scopes for artifact download, e.g.:
```yml
permissions:
 id-token: write
 contents: read
 actions: read
```
(Keep `id-token: write` for PyPI trusted publishing.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[Copilot]

Pull request overview

This PR adjusts the Selenium release workflow so Python is published to PyPI via PyPI “trusted publishing” (GitHub OIDC) rather than via the existing Bazel reusable publish workflow.

Changes:

• Removes Python from the main publish matrix job.
• Adds a dedicated build-python job to produce wheel/sdist artifacts via Bazel.
• Adds a dedicated publish-python job that publishes those artifacts to PyPI using pypa/gh-action-pypi-publish@release/v1, and wires downstream jobs to depend on it.

Reminder: after changing GitHub workflow YAML, run ./go format (CI will check formatting/linting).

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.