Add release workflow for PyPI publish automation

[djcopley]

Not sure if you're interested in this piece of automation, but this workflow will automatically build and publish a FuseSoC release to PyPI when you create a GitHub release.

I configured it to use OIDC for authentication and to run in the production environment. This means that you can set up special rules, such as mandatory review etc., before it can execute.

[olofk]

This looks good. The current release process is pretty much undocumented, but I currently run

python setup.py sdist
twine upload dist/fusesoc-<version>.tar.gz

Is this doing the same thing more or less? Haven't use the build package before. And finally, I didn't get how authentication works. Currently I have a password in ~/.pypirc but I guess that's not used with this flow.

[djcopley]

Is this doing the same thing more or less?

It's doing basically the same. It uploads a wheel in addition. Including the wheel is good though as it shortens the installation time.

And finally, I didn't get how authentication works.

There is a protocol called Open ID Connect (OIDC) that GitHub and PyPI support. To configure it you'll have to do a few things.

1. First go to the GitHub settings for this project and create an environment. This step is optional, but I highly recommend it for security. This is where you can set up all the approval and security rules. You can name it anything, however, it has to match what the workflow says. I named it 'release'.
2. Next go to your PyPI publishing settings and go to the bottom where it says "Add a new publisher". Fill in the repository info and save.

To use the workflow, just create a release in GitHub. If you set up approval rules, the actual publish to PyPI action won't happen until the required approvers approve the deployment.

Here is a github article on configuring OIDC:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi