Switch to standard tag-triggered release pipeline

Replaces the two-workflow / two-trigger setup (tick "pre-release" =>
TestPyPI; tick "latest" => PyPI) with a single tag-triggered workflow
that runs three sequenced jobs: build, publish-testpypi, publish-pypi.
TestPyPI failure hard-blocks PyPI via `needs:`. The `pypi` environment
gates the final upload behind manual approval.

This matches TabPFN's release pipeline shape, which is the conventional
"standard" pattern for Python releases (also used by numpy, scikit-learn,
etc. in some form). Trade-off: less inspection between TestPyPI and
PyPI, but tighter coupling and only one human click per release.

Other adjustments:

- Tag/version guard: a Python step in the build job verifies that the
  pushed tag matches `[project].version` in pyproject.toml. Catches
  manual `git tag` typos before the build runs. Becomes a no-op once
  hatch-vcs lands (the version derives from the tag, can't mismatch).

- Auto-create GitHub Release: extracts the matching `## [VERSION]`
  section from CHANGELOG.md, uploads as artifact, then `gh release
  create` runs after PyPI publish. The maintainer never visits the
  Releases UI; the release page appears automatically with notes.

- Build runs once. Both publish jobs download the same `dist/`
  artifact, guaranteeing identical bytes go to TestPyPI and PyPI.

Action versions kept SHA-pinned per the convention in pull_request.yml.
upload/download-artifact bumped to v7/v8 to match TabPFN's release
pipeline.

Drops publish-test.yml entirely.

Author: adrian-prior

.github/workflows/publish-release.yml

@@ -1,23 +1,31 @@
-name: Publish to PyPI
+name: Release to PyPI
+
+# Triggered by pushing a `vX.Y.Z` tag. The workflow runs three sequenced
+# jobs: build the wheel/sdist once, publish to TestPyPI and verify install,
+# then (after manual approval at the `pypi` environment) publish the same
+# bytes to real PyPI and create a GitHub Release with notes pulled from
+# CHANGELOG.md.
+#
+# Standard release shape: tag => TestPyPI gate => PyPI. No GitHub Releases
+# UI ticking. The maintainer's only manual steps are pushing the tag and
+# approving the `pypi` environment.
 
-# Triggered when a GitHub Release is marked as published (not a pre-release).
-# The `pypi` environment should require a manual reviewer approval, so this
-# workflow pauses before the actual upload.
 on:
-  release:
-    types: [released]
+  push:
+    tags:
+      - "v*"
 
 permissions:
-  contents: read
-  id-token: write   # required by PyPI Trusted Publishing (no API token needed)
+  contents: write   # release creation
+  id-token: write   # PyPI Trusted Publishing
 
 jobs:
-  publish:
-    name: Build and publish to PyPI
+  build:
+    name: Build sdist + wheel
     runs-on: ubuntu-latest
     timeout-minutes: 15
-    environment:
-      name: pypi
+    outputs:
+      version: ${{ steps.ver.outputs.version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -33,14 +41,155 @@ jobs:
         with:
           enable-cache: true
 
+      - name: Extract version from tag
+        id: ver
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+
+      - name: Verify tag matches pyproject.toml version
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          python - <<'PY'
+          import os, re
+          from pathlib import Path
+
+          v_tag = os.environ["VERSION"]
+          s = Path("pyproject.toml").read_text(encoding="utf-8")
+          m = re.search(r'(?ms)^\[project\]\s*\n.*?^\s*version\s*=\s*"([^"]+)"', s)
+          if not m:
+              raise SystemExit("Could not find [project].version in pyproject.toml")
+          v_file = m.group(1).strip()
+          if v_tag != v_file:
+              raise SystemExit(f"Version mismatch: tag={v_tag} pyproject={v_file}")
+          print("OK: tag matches pyproject version:", v_tag)
+          PY
+
       - name: Build sdist + wheel
         run: uv build
 
       - name: Check artifacts
         run: uvx twine check dist/*
 
+      - name: Extract release notes from CHANGELOG.md
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          python - <<'PY'
+          import os, re, pathlib
+
+          v = os.environ["VERSION"]
+          text = pathlib.Path("CHANGELOG.md").read_text(encoding="utf-8")
+
+          # Match: ## [X.Y.Z] - YYYY-MM-DD ... up to next ## [ header (or EOF)
+          pat = rf"(?ms)^##\s+\[{re.escape(v)}\]\s+-\s+\d{{4}}-\d{{2}}-\d{{2}}\s*\n(.*?)(?=^##\s+\[|\Z)"
+          m = re.search(pat, text)
+          if not m:
+              raise SystemExit(f"No CHANGELOG.md section for {v}. Expected: ## [{v}] - YYYY-MM-DD")
+
+          notes = m.group(1).strip() + "\n"
+          pathlib.Path("release_notes.md").write_text(notes, encoding="utf-8")
+          print("Wrote release_notes.md")
+          PY
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+      - name: Upload release notes
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: release_notes
+          path: release_notes.md
+          retention-days: 7
+
+  publish-testpypi:
+    name: Publish to TestPyPI + verify install
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    environment:
+      name: testpypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d # v1.14.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          print-hash: true
+          skip-existing: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+
+      - name: Wait for TestPyPI propagation
+        run: sleep 30
+
+      - name: Verify install from TestPyPI
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          TEST_DIR=$(mktemp -d)
+          cd "$TEST_DIR"
+          uv venv --python 3.12
+          source .venv/bin/activate
+          uv pip install \
+            --index-url https://test.pypi.org/simple/ \
+            --extra-index-url https://pypi.org/simple/ \
+            --index-strategy unsafe-best-match \
+            "tabpfn-extensions==${VERSION}"
+          python -c "import tabpfn_extensions; print('imported tabpfn_extensions OK, version:', tabpfn_extensions.__version__)"
+
+  publish-pypi:
+    name: Publish to PyPI + create GitHub Release
+    needs: [build, publish-testpypi]
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    environment:
+      name: pypi
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d # v1.14.0
         with:
           print-hash: true
           skip-existing: true
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Download release notes
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: release_notes
+          path: .
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          gh release create "v${VERSION}" \
+            --title "v${VERSION}" \
+            --notes-file release_notes.md