Merge branch 'main' into ig/spec0_py314

Author: ilan-gold

.github/workflows/releases.yml

@@ -6,13 +6,41 @@ on:
   pull_request:
     branches: [main]
   workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Git tag to build and publish (e.g. v3.1.6)'
+        required: true
+        type: string
 
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
+  validate_tag:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate tag format
+        run: |
+          if [[ ! "${{ inputs.tag }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([a-z]+[0-9]*)?$ ]]; then
+            echo "::error::Invalid tag format '${{ inputs.tag }}'. Expected format: v1.2.3, v1.2.3a1, v1.2.3rc1"
+            exit 1
+          fi
+      - name: Verify tag exists
+        run: |
+          git ls-remote --tags "${{ github.server_url }}/${{ github.repository }}" "${{ inputs.tag }}" | grep -q "${{ inputs.tag }}" || {
+            echo "::error::Tag '${{ inputs.tag }}' does not exist in the repository"
+            exit 1
+          }
+
   build_artifacts:
+    needs: [validate_tag]
+    if: always() && (needs.validate_tag.result == 'success' || needs.validate_tag.result == 'skipped')
     name: Build wheel on ubuntu-latest
     runs-on: ubuntu-latest
     strategy:
@@ -21,6 +49,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ inputs.tag || github.ref }}
           submodules: true
           fetch-depth: 0
 
@@ -35,7 +64,7 @@ jobs:
           version: '1.16.5'
       - name: Build wheel and sdist
         run: hatch build
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: releases
           path: dist
@@ -55,16 +84,26 @@ jobs:
           ls dist
 
   upload_pypi:
-    needs: [build_artifacts]
+    needs: [build_artifacts, test_dist_pypi]
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
+    if: >-
+      (github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v'))
+      || (github.event_name == 'workflow_dispatch' && startsWith(inputs.tag, 'v'))
+    environment:
+      name: releases
+      url: https://pypi.org/p/zarr
+    permissions:
+      id-token: write
+      attestations: write
+      artifact-metadata: write
     steps:
       - uses: actions/download-artifact@v7
         with:
           name: releases
           path: dist
-      - uses: pypa/gh-action-pypi-publish@v1.13.0
+      - name: Generate artifact attestation
+        uses: actions/attest@v4
         with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
-          # To test: repository_url: https://test.pypi.org/legacy/
+          subject-path: dist/*
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.13.0