Publish to PyPI via GitHub CI

.github/workflows/publish.yml

@@ -0,0 +1,36 @@
+name: Publish
+
+on:
+  release:
+    types: [created]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  publish:
+    environment:
+      name: pypi
+      url: https://pypi.org/p/packaging
+    permissions:
+      id-token: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        name: Install Python
+        with:
+          python-version: "3.12"
+          cache: "pip"
+          allow-prereleases: false
+
+      - name: Build distribution via nox
+        run: pipx run nox --error-on-missing-interpreters -s release_build
+
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
+        with:
+          print-hash: true

docs/development/release-process.rst

@@ -11,10 +11,12 @@ Release Process
 
     $ nox -s release -- YY.N
 
-   You will need the password for your GPG key as well as an API token for PyPI.
+   This creates and pushes a new tag for the release
 
 #. Add a `release on GitHub <https://github.com/pypa/packaging/releases>`__.
 
+   This triggers a CI workflow which builds and publishes the package to PyPI
+
 #. Notify the other project owners of the release.
 
 .. note::

noxfile.py

@@ -12,7 +12,6 @@
 import tempfile
 import textwrap
 import time
-import webbrowser
 from pathlib import Path
 
 import nox
@@ -141,8 +140,48 @@ def release(session):
     next_version = f"{major}.{minor + 1}.dev0"
     _bump(session, version=next_version, file=version_file, kind="development")
 
-    # Checkout the git tag.
-    session.run("git", "checkout", "-q", release_version, external=True)
+    # Push the commits and tag.
+    # NOTE: The following fails if pushing to the branch is not allowed. This can
+    #       happen on GitHub, if the main branch is protected, there are required
+    #       CI checks and "Include administrators" is enabled on the protection.
+    session.run("git", "push", "upstream", "main", release_version, external=True)
+
+
+@nox.session
+def release_build(session):
+    package_name = "packaging"
+
+    # Parse version from command-line arguments, if provided, otherwise get
+    # from Git tag.
+    try:
+        release_version = _get_version_from_arguments(session.posargs)
+    except ValueError as e:
+        if session.posargs:
+            session.error(f"Invalid arguments: {e}")
+
+        release_version = session.run(
+            "git", "describe", "--exact-match", silent=True, external=True
+        )
+        release_version = release_version.strip()
+        session.debug(f"version: {release_version}")
+        checkout = False
+    else:
+        checkout = True
+
+    # Check state of working directory.
+    _check_working_directory_state(session)
+
+    # Ensure there are no uncommitted changes.
+    result = subprocess.run(
+        ["git", "status", "--porcelain"], capture_output=True, encoding="utf-8"
+    )
+    if result.stdout:
+        print(result.stdout, end="", file=sys.stderr)
+        session.error("The working tree has uncommitted changes")
+
+    # Checkout the git tag, if provided.
+    if checkout:
+        session.run("git", "checkout", "-q", release_version, external=True)
 
     session.install("build", "twine")
 
@@ -162,24 +201,13 @@ def release(session):
         diff = "\n".join(diff_generator)
         session.error(f"Got the wrong files:\n{diff}")
 
-    # Get back out into main.
-    session.run("git", "checkout", "-q", "main", external=True)
+    # Get back out into main, if we checked out before.
+    if checkout:
+        session.run("git", "checkout", "-q", "main", external=True)
 
-    # Check and upload distribution files.
+    # Check distribution files.
     session.run("twine", "check", *files)
 
-    # Push the commits and tag.
-    # NOTE: The following fails if pushing to the branch is not allowed. This can
-    #       happen on GitHub, if the main branch is protected, there are required
-    #       CI checks and "Include administrators" is enabled on the protection.
-    session.run("git", "push", "upstream", "main", release_version, external=True)
-
-    # Upload the distribution.
-    session.run("twine", "upload", *files)
-
-    # Open up the GitHub release page.
-    webbrowser.open("https://github.com/pypa/packaging/releases")
-
 
 @nox.session
 def update_licenses(session: nox.Session) -> None: