Setup trusted publishing

.github/workflows/publish-test.yml

@@ -0,0 +1,48 @@
+name: Publish to TestPyPI
+on:
+  push:
+    tags:
+      # Only run for tags ending with `.devN`
+      # https://peps.python.org/pep-0440/#summary-of-permitted-suffixes-and-relative-ordering
+      - '*\.dev\d+'
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
+  build:
+    needs: ['test']
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-python@v3
+        with:
+          python-version: 3.11
+
+      - run: |
+          pip install setuptools
+          python setup.py sdist
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: ./dist
+
+  # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+  test-pypi-publish:
+    needs: ['build']
+    environment: 'publish-test'
+
+    name: upload release to TestPyPI
+    runs-on: ubuntu-latest
+    permissions:
+      # Mandatory for trusted publishing
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+
+      - name: Publish package distributions to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: artifact/
+          print-hash: true
+          repository-url: https://test.pypi.org/legacy/

.github/workflows/publish.yml

@@ -0,0 +1,48 @@
+name: Publish to PyPI
+on:
+  push:
+    tags:
+      # Only run for tags **not** ending with `.devN`
+      # https://peps.python.org/pep-0440/#summary-of-permitted-suffixes-and-relative-ordering
+      - '*'
+      - '!*\.dev\d+'
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
+  build:
+    needs: ['test']
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-python@v3
+        with:
+          python-version: 3.11
+
+      - run: |
+          pip install setuptools
+          python setup.py sdist
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: ./dist
+
+  # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+  pypi-publish:
+    needs: ['build']
+    environment: 'publish'
+
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      # Mandatory for trusted publishing
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: artifact/
+          print-hash: true

.github/workflows/test.yml

@@ -1,11 +1,11 @@
-name: Wagtail Bakery CI
+name: Test & Lint
 
 on:
   push:
     branches:
       - main
-
   pull_request:
+  workflow_call:  # Allow for the publish workflows to run the tests by calling this workflow
 
 jobs:
   test:

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help all clean install flake8 isort lint test build publish publish-test
+.PHONY: help all clean install flake8 isort lint test
 .DEFAULT_GOAL := help
 
 help: ## See what commands are available.
@@ -24,21 +24,3 @@ lint: flake8 isort ## Lint the project.
 
 test: ## Test the project.
 	py.test
-
-build: ## Build the package.
-	@echo '== Cleanup =='
-	rm dist/* 2>/dev/null || true
-	@echo '== Build project =='
-	python setup.py sdist
-
-publish: build ## Publishes a new version to PyPI.
-	@echo '== Publish project to PyPi =='
-	twine upload dist/*
-	@echo '== Success =='
-	@echo 'Go to https://pypi.org/project/wagtail-bakery/ and check that all is well.'
-
-publish-test: build ## Publishes a new version to TestPyPI.
-	@echo '== Publish project to PyPi [TEST] =='
-	twine upload --repository-url https://test.pypi.org/legacy/ dist/*
-	@echo '== Success =='
-	@echo 'Go to https://test.pypi.org/project/wagtail-bakery/ and check that all is well.'

README.md

@@ -155,14 +155,19 @@ Test as follow:
 
 ### Releases
 
-1. Ensure you have the latest versions of `pip`, `setuptools` and `twine` installed in your virtual environment.
 1. Create a new branch (e.g. `release/1.1.3`) for the release of the new version.
 1. Update the version number in `setup.py` following [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 1. Update `CHANGELOG.md`.
 1. On GitHub, create a pull request and squash merge it.
-1. Checkout and pull the `main` branch locally.
-1. (Optional) If you need to verify anything, use `make publish-test` to upload to https://test.pypi.org and enter your PyPi _test_ credentials as needed.
-1. Use `make publish` and enter your PyPi credentials as needed.
+1. On GitHub, if this is a minor release bump (for example `1.1.0` or `1.2.0` but not `1.1.1`, `1.2.3`), create a `stable/1.1.x` branch from `main`.
+1. (Optional) Publish to TestPyPI if you need to verify anything:
+   1. Create and push a tag following the pattern `X.Y.Z.devN` (for example `1.1.3.dev1`).
+   1. Follow the action progress for the [Publish to TestPyPI](https://github.com/wagtail-nest/wagtail-bakery/actions/workflows/publish-test.yml) workflow.
+   1. Check the result on [TestPyPI: wagtail-bakery](https://test.pypi.org/project/wagtail-bakery/).
+1. Publish to PyPI:
+   1. Create and push a tag following [PEP 440 – Version Identification Specification](https://peps.python.org/pep-0440/) (for example `1.1.3` or `1.1.3rc1`), except for the `.devN` suffix used for testing (see _Publish to TestPyPI_ step above)
+   1. Follow the action progress for the [Publish to PyPI](https://github.com/wagtail-nest/wagtail-bakery/actions/workflows/publish.yml) workflow
+   1. Check the result on [PyPI: wagtail-bakery](https://pypi.org/project/wagtail-bakery/)
 1. On GitHub, create a release and a tag for the new version.
 
 ## Credits