[build] Enable attestations for trusted publishing

Authored by: bashonly

.github/workflows/release-master.yml

@@ -28,3 +28,24 @@ jobs:
       actions: write  # For cleaning up cache
       id-token: write  # mandatory for trusted publishing
     secrets: inherit
+
+  publish_pypi:
+    needs: [release]
+    if: vars.MASTER_PYPI_PROJECT != ''
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+          name: build-pypi
+      - name: Verify SHA2-256SUMS
+        run: |
+          cd ./dist/
+          sha256sum -c SHA2-256SUMS
+          rm SHA2-256SUMS
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true

.github/workflows/release-nightly.yml

@@ -41,3 +41,24 @@ jobs:
       actions: write  # For cleaning up cache
       id-token: write  # mandatory for trusted publishing
     secrets: inherit
+
+  publish_pypi:
+    needs: [release]
+    if: vars.NIGHTLY_PYPI_PROJECT != ''
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+          name: build-pypi
+      - name: Verify SHA2-256SUMS
+        run: |
+          cd ./dist/
+          sha256sum -c SHA2-256SUMS
+          rm SHA2-256SUMS
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true

.github/workflows/release.yml

@@ -2,10 +2,6 @@ name: Release
 on:
   workflow_call:
     inputs:
-      prerelease:
-        required: false
-        default: true
-        type: boolean
       source:
         required: false
         default: ''
@@ -18,6 +14,14 @@ on:
         required: false
         default: ''
         type: string
+      prerelease:
+        required: false
+        default: true
+        type: boolean
+      manual_dispatch:
+        required: false
+        default: false
+        type: boolean
   workflow_dispatch:
     inputs:
       source:
@@ -47,6 +51,10 @@ on:
         description: Pre-release
         default: false
         type: boolean
+      manual_dispatch:
+        description: Manual dispatch (do not toggle)
+        default: true
+        type: boolean
 
 permissions:
   contents: read
@@ -278,7 +286,28 @@ jobs:
           make clean-cache
           python -m build --no-isolation .
 
+      - name: Make SHA2-SUMS files
+        if: ${{ !inputs.manual_dispatch }}
+        run: |
+          cd ./dist/
+          # make sure SHA sums are also printed to stdout
+          sha256sum -- * | tee SHA2-256SUMS
+          # also print as permanent annotations to the summary page
+          while read -r shasum; do
+            echo "::notice title=${shasum##* }::sha256: ${shasum% *}"
+          done < SHA2-256SUMS
+
+      - name: Upload PyPI artifacts
+        if: ${{ !inputs.manual_dispatch }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-pypi
+          path: |
+            dist/*
+          compression-level: 0
+
       - name: Publish to PyPI
+        if: inputs.manual_dispatch
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           verbose: true