Refactor github CI workflows

- `publish.yaml`: Publish to test.pypi.org and pypi.org in the same job.
  - Use a single deployment environment (`publish-pypi`) for both test
    and production publishing endpoints.
- `ci-workflow.yaml`: A high level reusable workflow to call other workflows.
  - Orchestrate all CI jobs from a single workflow.
  - Use workflow inputs (`jobs`) to control which jobs to run.
- `ci.yaml`: Configure the CI workflow to use the new ci-workflow.yaml.
  - Here is where the triggers and workflow configuration are set.
  - This file will call `ci-workflow.yaml` with the appropriate inputs.

Assumes tests and code checks are run by `tox` and configured in the
`pyproject.toml` file.

Author: glenn20

.github/workflows/ci-release.yaml

@@ -0,0 +1,68 @@
+name: CI Workflow
+
+#   A reusable github workflow to run python CI workflows, including static code
+#   checks, automated testing (using pytest and tox), package building,
+#   publishing to test.pypi.org and pypi.org, and creating a GitHub release.
+#
+#   The workflow elements to selected are specified in the `jobs` input. The
+#   default is to run the `test` and `build` jobs. The CI workflow is
+#   configured in the tox-gh config (eg. pyproject.toml). See
+#   https://github.com/tox-dev/tox-gh.
+#
+#   Accepts the following inputs as json strings:
+#   - `jobs`: the list of jobs to run,
+#   - `os`: the list of operating systems on which to run tests, and
+#   - `python-version`: the list of python versions on which to run tests.
+#
+#   Assumes the configurations for all tools (`mypy`, `uv`, `ruff`, `pytest`,
+#   ...) are fully specified in config files (eg `pyproject.toml`).
+#
+#   These workflows use `tox`, as it can be more easily customised in your
+#   pyproject.toml so that the same CI process runs on your local computer and
+#   on github.
+#
+#   All workflows use astral `uv` to execute actions wherever possible.
+
+on:
+  workflow_call:
+    inputs:
+      jobs:
+        description: >-
+          A json string containing the list of jobs to run. Available jobs are:
+          - `check`: Run static code checks (using `mypy`, `ruff`, etc.).
+          - `test`: Run tests and code checks using `tox`.
+          - `build`: Build the python package.
+          - `publish-test`: Publish the package to test.pypi.org.
+          - `publish`: Publish the package to pypi.org (runs `publish-test`).
+          - `release`: Create a GitHub release.
+          The default is `["test", "build"]`.
+        default: '["test", "build"]'
+        type: string
+        required: false
+      os:
+        description: >-
+          A json string containing the list of operating systems on which to
+          run the test matrix.
+        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        type: string
+        required: false
+      python-version:
+        description: >-
+          A json string containing the list of python versions on
+          which to run the test matrix.
+        default: '["3.9", "3.10", "3.11", "3.12", "3.13"]'
+        type: string
+        required: false
+
+jobs:
+  test:
+    if: ${{ contains(fromJson(inputs.jobs), 'test') }}
+    name: Tests
+    uses: glenn20/python-ci/.github/workflows/test-tox.yaml@dev
+    with:
+      os: ${{ inputs.os }}
+      python-version: ${{ inputs.python-version }}
+
+  build:
+    name: Build python package
+    uses: glenn20/python-ci/.github/workflows/build.yaml@dev

.github/workflows/ci-test-build.yaml

@@ -0,0 +1,94 @@
+name: CI workflow for python projects
+
+# Run the CI test workflow of jobs which includes:
+# - `check`: Run static code checks (using `mypy`, `ruff`, etc.).
+# - `test`: Run tests (and code checks) using `tox`.
+# - `build`: Build the python package.
+# - `publish-test`: Publish the package to test.pypi.org.
+# - `publish`: Publish the package to pypi.org (runs `publish-test`).
+# - `release`: Create a GitHub release.
+
+on:
+  push:
+    branches: ["**"]  # Push commits to any branch
+    tags: ["v[0-9]*"]  # Publish on tags matching "v*", eg. "v1.0.0"
+
+# Configure the workflows here. Each environment variable name should be a
+# wildcard matching the
+# `on-<github.event_name>-<github.ref_type>-<github.ref_name>` format. For
+# example, if the event is a push to a tag `v1.0.0`, the environment variable
+# `on-push-tag-v*` will match. The value of the matching variable will be
+# written to $GITHUB_OUTPUT to set the jobs, python versions, and operating
+# systems to run the workflow on. The first match found is used.
+env:
+  on-push-tag-*: |  # Push version tag matching "v*", eg. "v1.0.0"
+    jobs=["test", "build", "publish", "release"]
+    python-version=["3.9", "3.10", "3.11", "3.12", "3.13"]
+    os=["ubuntu-latest"]
+  on-push-branch-main: |  # Push commits to main branch
+    jobs=["test", "build", "publish-test"]
+    python-version=["3.9", "3.10", "3.11", "3.12", "3.13"]
+    os=["ubuntu-latest"]
+  on-push-branch-*: |  # Push commits to other branches
+    jobs=["test", "build", "publish-test"]
+    python-version=["3.9", "3.13"]
+    os=["ubuntu-latest"]
+
+jobs:
+  config:
+    # Select the workflow config based on the event trigger.
+    runs-on: ubuntu-latest
+    outputs:
+      jobs: ${{ steps.config.outputs.jobs }}
+      python-version: ${{ steps.config.outputs.python-version }}
+      os: ${{ steps.config.outputs.os }}
+    steps:
+      - name: Select the workflow configuration
+        id: config
+        run: |  # Find the matching environment variable based on the event trigger
+          tag="on-${{ github.event_name }}-${{ github.ref_type }}-${{ github.ref_name }}"
+          for key in $(echo '${{ toJson(env) }}' | jq -r 'keys_unsorted[]'); do
+            if [[ "$tag" == $key ]]; then
+              # Write value of the matching environment variable to $GITHUB_OUTPUT
+              echo '${{ toJson(env) }}' | jq -r ".[\"$key\"]" >> $GITHUB_OUTPUT
+              exit 0  # Stop after the first match
+            fi
+          done
+          echo "No matching environment variable found for '$tag'."
+
+  ci-workflow:
+    name: CI workflow
+    needs: config
+    uses: ./.github/workflows/ci-workflow.yaml
+    with:
+      jobs: ${{ needs.config.outputs.jobs }}
+      os: ${{ needs.config.outputs.os }}
+      python-version: ${{ needs.config.outputs.python-version }}
+
+  # We can't use trusted publishing from a reusable workflow in another
+  # repository, so the publish workflows must be run from here, not in the
+  # ci-workflow.yaml.
+  publish:
+    if: ${{ contains(needs.config.outputs.jobs, '"publish') }}
+    name: Publish to pypi.org
+    runs-on: ubuntu-latest
+    needs: [config, ci-workflow]
+    environment:
+      name: publish-pypi
+      url: ${{ steps.publish.outputs.url }}
+    permissions:
+      id-token: write  # Required for trusted publishing
+    steps:
+      - id: publish
+        uses: glenn20/python-ci/publish@dev
+        with:
+          test-only: ${{ contains(needs.config.outputs.jobs, '"publish"') && 'true' || 'false' }}
+
+  release:
+    if: ${{ contains(fromJson(needs.config.outputs.jobs), 'release') }}
+    name: Create GitHub release
+    needs: [config, ci-workflow]
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for github release
+      contents: write  # IMPORTANT: mandatory for github release
+    uses: glenn20/python-ci/.github/workflows/github-release.yaml@dev

.github/workflows/ci-test.yaml

@@ -83,7 +83,8 @@ run.omit = ["_version.py"]
 report.skip_covered = false
 append = true
 
-[tool.tox.gh.python]  # For Github Actions workflow - see
+# For Github Actions workflow - see https://github.com/tox-dev/tox-gh
+[tool.tox.gh.python]
 "3.13" = ["clean", "typing", "lint", "format", "3.13"]
 "3.12" = ["3.12"]
 "3.11" = ["3.11"]
@@ -111,7 +112,6 @@ dependency_groups = ["test"]  # Everything we need to run the tox tests
 labels = ["test"]
 package = "editable"  # "editable" runs a bit faster then "wheel"
 runner = "uv-venv-runner"  # We love uv
-passenv = ["GITHUB_ACTIONS"]  # So conftest.py knows we are running in github actions
 
 [tool.tox.env.3.13]
 # Run coverage tests only on the latest python version