Setup release workflow with trusted publisher (#9852)

browniebroke · web-flow · commit 9734f77406c4 · 2026-03-04T13:09:14.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,124 @@
+name: Publish Release
+
+concurrency:
+  # stop previous release runs if tag is recreated
+  group: release-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    tags:
+      # Order matters, the last rule that applies to a tag
+      # is the one that takes effect:
+      # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#example-including-and-excluding-branches-and-tags
+      - '*.*.*'
+      # There should be no dev tags created, but to be safe,
+      # let's not publish them.
+      - '!*.*.*.dev*'
+
+env:
+  PYPI_URL: https://pypi.org/p/djangorestframework
+  PYPI_TEST_URL: https://test.pypi.org/p/djangorestframework
+
+jobs:
+  build:
+    name: Build distribution 📦
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.x"
+      - name: Install pypa/build
+        run: python3 -m pip install build
+      - name: Build a binary wheel and a source tarball
+        run: python3 -m build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v7
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-testpypi:
+    name: Publish Python 🐍 distribution 📦 to TestPyPI
+    needs:
+      - build
+    runs-on: ubuntu-24.04
+    environment:
+      name: testpypi
+      url: ${{ env.PYPI_TEST_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v8
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution 📦 to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1.13
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+
+  publish-to-pypi:
+    name: Publish Python 🐍 distribution 📦 to PyPI
+    needs:
+      - build
+      - publish-to-testpypi
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: ${{ env.PYPI_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v8
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1.13
+
+  github-release:
+    name: >-
+      Sign the Python 🐍 distribution 📦 with Sigstore
+      and upload them to GitHub Release
+    needs:
+      - publish-to-pypi
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v8
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Sign the dists with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v3.2.0
+        with:
+          inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+      - name: Create GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: >-
+          gh release create
+          '${{ github.ref_name }}'
+          --repo '${{ github.repository }}'
+          --generate-notes
+      - name: Upload artifact signatures to GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        # Upload to GitHub Release using the `gh` CLI.
+        # `dist/` contains the built packages, and the
+        # sigstore-produced signatures and certificates.
+        run: >-
+          gh release upload
+          '${{ github.ref_name }}' dist/**
+          --repo '${{ github.repository }}'
diff --git a/docs/community/project-management.md b/docs/community/project-management.md
@@ -60,19 +60,23 @@ The following template should be used for the description of the issue, and serv
         - [ ] `README` Python & Django versions
         - [ ] `docs` Python & Django versions
     - [ ] Ensure the pull request increments the version to `*.*.*` in [`restframework/__init__.py`](https://github.com/encode/django-rest-framework/blob/main/rest_framework/__init__.py).
+    - [ ] Update the release-notes.md:
+        - Start drafting a new release in GitHub: https://github.com/encode/django-rest-framework/releases/new
+        - Select the tag that you want to give to the next release and the previous tag
+        - Click the "Generate release notes" button
+        - Don't confirm anything yet! Copy the generated content to a file `input.md`
+        - Run `uv tool run linkify-gh-markdown input.md` to make the links absolute
+        - Put the generated content in the release-notes.md file
     - [ ] Ensure documentation validates
         - Build and serve docs `mkdocs serve`
         - Validate links `pylinkvalidate.py -P http://127.0.0.1:8000`
-    - [ ] Confirm with @tomchristie that release is finalized and ready to go.
+    - [ ] Confirm with other maintainers that the release is finalized and ready to go.
     - [ ] Ensure that release date is included in pull request.
     - [ ] Merge the release pull request.
-    - [ ] Install the release tools: `pip install build twine`
-    - [ ] Build the package: `python -m build`
-    - [ ] Push the package to PyPI with `twine upload dist/*`
-    - [ ] Tag the release, with `git tag -a *.*.* -m 'version *.*.*'; git push --tags`.
-    - [ ] Deploy the documentation with `mkdocs gh-deploy`.
+    - [ ] Tag the release, either with `git tag -a *.*.* -m 'version *.*.*'; git push --tags` or in GitHub.
+    - [ ] Wait for the release workflow to run. It will build the distribution, upload it to Test PyPI, PyPI and create the GitHub release.
     - [ ] Make a release announcement on the [discussion group](https://groups.google.com/forum/?fromgroups#!forum/django-rest-framework).
-    - [ ] Make a release announcement on twitter.
+    - [ ] Make a release announcement on social media (Mastodon, etc...) and on the [Django forum](https://forum.djangoproject.com/).
     - [ ] Close the milestone on GitHub.
 
     To modify this process for future releases make a pull request to the [project management](https://www.django-rest-framework.org/topics/project-management/) documentation.
