Use the PyPI trusted publishers system

.github/workflows/ci.yaml

@@ -1,6 +1,7 @@
 name: Python CI
 
 "on":
+  merge_group: {}
   push:
     branches-ignore:
       # These should always correspond to pull requests, so ignore them for
@@ -11,9 +12,9 @@ name: Python CI
       - "renovate/**"
       - "tickets/**"
       - "u/**"
-    tags:
-      - "*"
   pull_request: {}
+  release:
+    types: [published]
 
 jobs:
   lint:
@@ -79,22 +80,48 @@ jobs:
           username: ${{ secrets.LTD_USERNAME }}
           password: ${{ secrets.LTD_PASSWORD }}
         if: >
-          github.event_name != 'pull_request'
-          || startsWith(github.head_ref, 'tickets/')
+          github.event_name != 'merge_group'
+          && (github.event_name != 'pull_request'
+              || startsWith(github.head_ref, 'tickets/'))
+
+  test-packaging:
+
+    name: Test packaging
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # full history for setuptools_scm
+
+      - name: Build and publish
+        uses: lsst-sqre/build-and-publish-to-pypi@v2
+        with:
+          python-version: "3.11"
+          upload: false
 
   pypi:
 
+    # This job requires set up:
+    # 1. Set up a trusted publisher for PyPI
+    # 2. Set up a "pypi" environment in the repository
+    # See https://github.com/lsst-sqre/build-and-publish-to-pypi
+    name: Upload release to PyPI
     runs-on: ubuntu-latest
-    needs: [lint, test, docs]
+    needs: [lint, test, docs, test-packaging]
+    environment:
+      name: pypi
+      url: https://pypi.org/p/kafkit
+    permissions:
+      id-token: write
+    if: github.event_name == 'release' && github.event.action == 'published'
 
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0 # full history for setuptools_scm
 
       - name: Build and publish
-        uses: lsst-sqre/build-and-publish-to-pypi@v1
+        uses: lsst-sqre/build-and-publish-to-pypi@v2
         with:
-          pypi-token: ${{ secrets.PYPI_SQRE_ADMIN }}
           python-version: "3.11"
-          upload: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}

.github/workflows/periodic-ci.yaml

@@ -41,17 +41,17 @@ jobs:
           tox-envs: "docs,docs-linkcheck"
           use-cache: false
 
-  pypi:
+  test-packaging:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0 # full history for setuptools_scm
 
       - name: Build and publish
-        uses: lsst-sqre/build-and-publish-to-pypi@v1
+        uses: lsst-sqre/build-and-publish-to-pypi@v2
         with:
-          pypi-token: ""
           python-version: "3.11"
           upload: false

changelog.d/20230717_125707_jsick_DM_39646.md

@@ -9,3 +9,7 @@
   - `AioKafkaProducerDependency` provides a Kafka producer based on aiokafka's `AIOKafkaProducer` (requires the `aiokafka` extra).
   - `PydanticSchemaManager` provides a Pydantic-based schema manager for Avro schemas, `kafkit.schema.manager.PydanticSchemaManager`.
   - `RegistryApiDependency` provides an HTTPX-based Schema Registry client, `kafkit.registry.httpx.RegistryApi`.
+
+### Other changes
+
+- Adopt PyPI's trusted publishers mechanism for releases.