Publish to PyPI with trusted publishing

Trusted publishing (with attestations) means I have high confidence that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing.

This is instead of manually uploading via a local invocation of `twine`.

See [the Python packaging documentation](https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing), [the PyPI documentation](https://docs.pypi.org/trusted-publishers/), and [the official pypi-publish GitHub action documentation](https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing) on trusted publishing.

<details><summary>Implementation (using GitHub actions) (click to expand)</summary>

* Configure a [GitHub CI workflow](https://docs.github.com/en/actions/concepts/workflows-and-actions/workflows) for publishing the package to PyPI, with package build and publish jobs
* Configure (or use an existing) GitHub environment, and register with PyPI
* Add the [environment definition](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idenvironment) to the publish job
* Add `id-token: write` and `contents: read` [permissions](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idpermissions) to the same publish job

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish to PyPI with trusted publishing #824

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Publish to PyPI with trusted publishing #824

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions