Automate releasing

[brettcannon]

As https://packaging.pypa.io/en/latest/development/release-process/ points out, it's already mostly automated. I think if we added a PyPI token and then used https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ with the version number to release as the sole input we can make it so we can cut a release entirely in the browser.

[dHannasch]

Are you picturing this as a release.yml in .github/workflows? With the GPG password and API token mentioned by https://packaging.pypa.io/en/latest/development/release-process.html as secrets stored on GitHub? (A bit like https://github.com/pypa/gh-action-pypi-publish, but with workflow_dispatch like you mentioned?)

[brettcannon]

Yeah, basically. Since there are multiple maintainers of this project, all of whom have the ability/clearance to do a release, automating it so it's as much of a button click as possible would be good.

[pradyunsg]

x-ref #273

[pradyunsg]

Noting for whenever we get to this: the current best practice is to use trusted publishers, which can also be combined with workflows blocking on approvals.

[brettcannon]

Yep, I was actually thinking about this issue last week when I was setting trusted publishers up on some of my personal projects. 🙂

[webknjaz]

With the GPG password

GPG support has been deprecated on the PyPI but we've added a Sigstore usage example to my PyPUG guide: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages. It's passwordless and is integrated the same way as trusted publishing — through OIDC.