Publish to PyPI from GHA with PEP 740 digital attestations

[webknjaz]

This would allow showing more metadata as verified on PyPI and include verifiable dist signatures uploaded there too.

Here's the guide to follow: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/. By implementing it, the digital attestations will be included automatically. Ping me for review if need be.

[adrienverge]

@webknjaz thanks, it's a good idea! I implemented this at #724.

I'll merge now and create a new tag to make sure it works on the real PyPI, but feel free to review the pull request: we can make edits afterwards if needed.

[webknjaz]

@adrienverge looks like you'll need to set up a trusted publisher on TestPyPI or drop that job. Although, if you want to keep it for regular PR merges, you need some extra version computation for untagged commits since (TestPyPI) won't allow version reuse. I usually use setuptools-scm for this.

[adrienverge]

I did set up a trusted publisher on TestPyPI (same procedure as on PyPI) prior to pushing anything on the GitHub repo, so it looks like the HTTP 400 sometimes returned by test.pypi.org are rather due to duplication of pushes, as your comment suggests.

I want to fix this but I see a benefit in keeping these test publications to TestPyPI, as regular sanity checks.

To avoid pushing releases with the same version, we could either:

• run the whole worflow only if on master branch:

  on:
    push:
      branches:
        - master

• run the workflow on all pushes, but the TesPyPI job only on master branch:

    publish-to-testpypi:
      if: github.ref == 'refs/heads/master'

What do you think?
Is there a preferred option? An alternative option? Are there best practices?