chore: Refactor GitHub Actions workflow for publishing to PyPI and TestPyPI (#795)

* Refactor GitHub Actions workflow for publishing to PyPI and TestPyPI

* Update release checklist to include optional monitoring steps for TestPyPI and PyPI publish jobs

Author: LacombeLouis

.github/workflows/publish.yml

@@ -1,25 +1,76 @@
-name: Publish to PyPi
+name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
 
-on:
-  release:
-    types: [published]
+# Trigger on push (the publish job to PyPI only runs for tag pushes)
+on: push
 
 jobs:
-  deploy:
+  build:
+    name: Build distribution 📦
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/[email protected]
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - name: Install pypa/build
+        run: python3 -m pip install --upgrade build --user
+      - name: Build a binary wheel and a source tarball
+        run: python3 -m build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-pypi:
+    name: Publish Python 🐍 distribution 📦 to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs: [build]
+    runs-on: ubuntu-latest
+    # NOTE: create a GitHub Environment named `pypi` in your repo settings and require manual approval
+    environment:
+      name: pypi
+      url: https://pypi.org/project/mapie/
+    permissions:
+      id-token: write  # mandatory for Trusted Publishing
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
         with:
-          python-version: "3.13"
-      - name: Install build dependencies
-        run: |
-          python -m pip install -e '.[dev]'
-      - name: Build package
-        run: python -m build
-      - name: Publish package
-        uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  publish-to-testpypi:
+    name: Publish Python 🐍 distribution 📦 to TestPyPI
+    needs: [build]
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/mapie/
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution 📦 to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN_VBL }}
+          repository-url: https://test.pypi.org/legacy/
+
+# Notes:
+# - Make sure to update the pypi and testpypi Trusted Publishers in the settings of your PyPI and TestPyPI accounts.
+# - Configure GitHub Environments named `pypi` and `testpypi` in your repository settings.
+# - For `pypi` the environment should require manual approval (recommended by PyPI Trusted Publishing).
+# - After switching to Trusted Publishing you should remove any long-lived PYPI API token secrets from the repo and
+#   revoke them on PyPI/TestPyPI as described in the PyPI guide.

RELEASE_CHECKLIST.md

@@ -9,18 +9,19 @@
     * `make doc`
 - [ ] Commit every change from the steps above
 - [ ] Update the version number with `bump2version major|minor|patch` (a commit is automatically made)
-- [ ] Build source distribution:
-    * `make clean-build`
-    * `make build`
-- [ ] Check that your package is ready for publication: `twine check dist/*`
-- [ ] Upload it to TestPyPi:
-    * you need to create an account on test.pypi.org first if you don't have one, then an API key, and ask one the existing MAPIE maintainer to add you as a maintainer
-    * `twine upload --repository-url https://test.pypi.org/legacy/ dist/*` (use `__token__` as username and your api token as password)
-- [ ] Test upload on TestPyPi:
-    * create a new empty virtual environment
-    * `pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ mapie` (mapie should install from test.pypi.org, may not work if using uv)
 - [ ] Push the commit created by bump2version: `git push origin master`
+- [ ] (Optional) Monitor the TestPyPI publish job on GitHub Actions:
+    * The workflow automatically publishes to TestPyPI on every push to master
+    * Check the Actions tab to verify the build and TestPyPI publish succeeded
+    * Test installation from TestPyPI if desired:
+        - create a new empty virtual environment
+        - `pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ mapie`
 - [ ] Push the tag created by bump2version: `git push --tags`
+- [ ] Monitor the PyPI publish job on GitHub Actions:
+    * The workflow automatically triggers on tag pushes
+    * The `pypi` environment requires manual approval (configured in repo settings)
+    * Approve the deployment in the GitHub Actions UI when prompted
+    * Verify the package appears on PyPI after approval
 - [ ] Create new release on GitHub for this tag.
 - [ ] Merge the automatically created pull request on https://github.com/conda-forge/mapie-feedstock. You need to be added as a maintainer on this repo first. To create the pull request
   manually to avoid waiting for automation, create an issue with the name `@conda-forge-admin, please update version`