feat(release): publish tagged artifacts to TestPyPI

evopen · evopen · commit 5d93ea32e808 · 2026-03-27T10:53:41.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -92,3 +92,36 @@ jobs:
         with:
           name: rapidobj-wheels-${{ matrix.os }}
           path: wheelhouse/*.whl
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    runs-on: ubuntu-latest
+    needs:
+      - sdist
+      - wheels
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/rapidobj
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Download sdist artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: rapidobj-sdist
+          path: dist
+
+      - name: Download wheel artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: rapidobj-wheels-*
+          merge-multiple: true
+          path: dist
+
+      - name: Publish package distributions to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
diff --git a/README.md b/README.md
@@ -22,7 +22,8 @@ python -m pip install dist/rapidobj-0.1.0-cp312-cp312-*.whl
 
 For release builds, GitHub Actions is the authoritative wheel pipeline. Pull
 requests validate the package, and version tags build Linux and Windows wheels
-for CPython 3.12, 3.13, and 3.14.
+for CPython 3.12, 3.13, and 3.14. Tag builds also publish the validated
+artifacts to TestPyPI via Trusted Publishing.
 
 ## Minimal Usage
 
diff --git a/RELEASE.md b/RELEASE.md
@@ -32,6 +32,7 @@ Use semantic version tags: `vX.Y.Z`.
    - build Linux and Windows wheel artifacts
    - run metadata checks and smoke tests
    - upload artifacts to GitHub Actions
+   - publish those exact artifacts to TestPyPI via Trusted Publishing
 
 ## GitHub Source Release
 
@@ -42,8 +43,14 @@ Use semantic version tags: `vX.Y.Z`.
 3. Wait for the release workflow to finish and download the generated artifacts if needed.
 4. Create GitHub release from the tag and include changelog notes.
 
+## TestPyPI Publish
+
+1. Configure a Trusted Publisher for the repository on TestPyPI.
+2. Push a version tag (`vX.Y.Z`).
+3. Wait for the `Release Artifacts` workflow to finish.
+4. Verify the package page and an install from TestPyPI.
+
 ## PyPI Publish
 
-1. Upload validated artifacts from the GitHub release workflow:
-   - `uvx --from twine twine upload dist/*`
-2. Verify package page metadata and install command.
+1. After TestPyPI validation, point the publish job at production PyPI.
+2. Reuse the same tag-triggered artifact publish flow with Trusted Publishing.
