CI: remove dead upload_pypi job from reusable workflow, rename to lib-build.yml

Closes #824. Follow-up to #820.

The upload_pypi job in lib-build-and-push.yml was never reachable: none of the
four caller workflows pass upload: true. build-push.yml and publish-manually.yml
already publish from their own separate jobs (necessary due to how PyPI Trusted
Publishing embeds the caller workflow path in the OIDC token).

Because the reusable workflow declared 'permissions: id-token: write' for
upload_pypi, GitHub's static permission validation forced build-test.yml (a
pull_request workflow, which defaults to id-token: none) to also declare
id-token: write — granting unnecessary privileges to a job that only builds
wheels.

Changes:
- Rename lib-build-and-push.yml -> lib-build.yml (it only builds now)
- Remove upload input and upload_pypi job from the reusable workflow
- Remove 'permissions: id-token: write' and 'with: upload: false' from
  build-test.yml (no longer needed)
- Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml)
  to reference the new workflow path and drop upload: false from with: blocks
- Replace TODO comments in build-push.yml and publish-manually.yml with an
  explanatory comment: the separate publish job is now intentional design,
  not a temporary workaround

Author: nikagra

.github/workflows/build-pre-release.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   build-and-publish:
-    uses: ./.github/workflows/lib-build-and-push.yml
+    uses: ./.github/workflows/lib-build.yml
     with:
       python-version: ${{ inputs.python-version }}
       target: ${{ inputs.target }}

.github/workflows/build-push.yml

@@ -10,11 +10,12 @@ on:
 jobs:
   build-and-publish:
     name: "Build wheels"
-    uses: ./.github/workflows/lib-build-and-push.yml
-    with:
-      upload: false
+    uses: ./.github/workflows/lib-build.yml
 
-  # TODO: Remove when https://github.com/pypa/gh-action-pypi-publish/issues/166 is fixed and update build-and-publish.with.upload to ${{ endsWith(github.event.ref, 'scylla') }}
+  # Publishing is a separate job (not inside the reusable workflow) because PyPI Trusted Publishing
+  # requires the *caller* workflow path in the OIDC token. A reusable workflow would embed its own
+  # path instead, causing an `invalid-publisher` error on the PyPI side.
+  # See: https://github.com/pypa/gh-action-pypi-publish/issues/166
   publish:
     name: "Publish wheels to PyPi"
     if: ${{ endsWith(github.event.ref, 'scylla') }}

.github/workflows/build-test.yml

@@ -18,8 +18,4 @@ jobs:
   test-wheels-build:
     name: "Test wheels building"
     if: "!contains(github.event.pull_request.labels.*.name, 'disable-test-build')"
-    uses: ./.github/workflows/lib-build-and-push.yml
-    permissions:
-      id-token: write
-    with:
-      upload: false
+    uses: ./.github/workflows/lib-build.yml

.github/workflows/lib-build-and-push.yml .github/workflows/lib-build.yml.github/workflows/lib-build-and-push.yml renamed to .github/workflows/lib-build.yml

@@ -1,14 +1,8 @@
-name: Build and upload to PyPi
+name: Build wheels
 
 on:
   workflow_call:
     inputs:
-      upload:
-        description: 'Upload to PyPI'
-        type: boolean
-        required: false
-        default: false
-
       python-version:
         description: 'Python version to run on'
         type: string
@@ -146,12 +140,12 @@ jobs:
         if: matrix.target != 'linux-aarch64'
         shell: bash
         run: |
-          GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build-and-push.yml@refs/heads/master" cibuildwheel --output-dir wheelhouse
+          GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" cibuildwheel --output-dir wheelhouse
 
       - name: Build wheels for linux aarch64
         if: matrix.target == 'linux-aarch64'
         run: |
-          GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build-and-push.yml@refs/heads/master" CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse
+          GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse
 
       - uses: actions/upload-artifact@v7
         with:
@@ -176,20 +170,3 @@ jobs:
         with:
           name: source-dist
           path: dist/*.tar.gz
-
-  upload_pypi:
-    if: inputs.upload
-    needs: [build-wheels, build-sdist]
-    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
-
-    steps:
-      - uses: actions/download-artifact@v8
-        with:
-          path: dist
-          merge-multiple: true
-
-      - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          skip-existing: true

.github/workflows/publish-manually.yml

@@ -39,15 +39,17 @@ on:
 jobs:
   build-and-publish:
     name: "Build wheels"
-    uses: ./.github/workflows/lib-build-and-push.yml
+    uses: ./.github/workflows/lib-build.yml
     with:
-      upload: false
       python-version: ${{ inputs.python-version }}
       ignore_tests: ${{ inputs.ignore_tests }}
       target_tag: ${{ inputs.target_tag }}
       target: ${{ inputs.target }}
 
-  # TODO: Remove when https://github.com/pypa/gh-action-pypi-publish/issues/166 is fixed and update build-and-publish.with.upload to ${{ inputs.upload }}
+  # Publishing is a separate job (not inside the reusable workflow) because PyPI Trusted Publishing
+  # requires the *caller* workflow path in the OIDC token. A reusable workflow would embed its own
+  # path instead, causing an `invalid-publisher` error on the PyPI side.
+  # See: https://github.com/pypa/gh-action-pypi-publish/issues/166
   publish:
     name: "Publish wheels to PyPi"
     needs: build-and-publish