Use Github-Actions for PyPI release process

.github/workflows/publish_to_pypi.yml

@@ -0,0 +1,117 @@
+name: Publish xrpl-py 🐍 distribution 📦 to PyPI
+on:
+  push:
+    tags:
+        - 'v*' # Run on version tags only
+
+jobs:
+  build:
+    name: Build distribution 📦
+    runs-on: ubuntu-latest
+    env:
+        POETRY_VERSION: 1.8.3
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ">=3.8,<3.13"
+    - name: Load cached .local
+      id: cache-poetry
+      uses: actions/cache@v3
+      with:
+          path: /home/runner/.local
+          key: dotlocal-${{ env.POETRY_VERSION }}
+    - name: Install poetry
+      if: steps.cache-poetry.outputs.cache-hit != 'true'
+      run: |
+        curl -sSL "https://install.python-poetry.org/" | python - --version "${{ env.POETRY_VERSION }}"
+        echo "${HOME}/.local/bin" >> $GITHUB_PATH
+        poetry --version || exit 1  # Verify installation
+    - name: Build a binary wheel and a source tarball
+      run: poetry build
+    - name: Verify build artifacts
+      run: |
+        ls dist/*.whl dist/*.tar.gz || exit 1
+        pip install check-wheel-contents
+        check-wheel-contents dist/*.whl
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+  publish-to-pypi:
+    name: >-
+        Publish Python 🐍 distribution 📦 to PyPI
+    needs: build  # Explicit dependency on build job
+    runs-on: ubuntu-latest
+    timeout-minutes: 10  # Adjust based on typical publishing time
+    permissions:
+        # More information about Trusted Publishing and OpenID Connect: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
+        id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Verify downloaded artifacts
+      run: |
+        ls dist/*.whl dist/*.tar.gz || exit 1
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        verbose: true
+        verbose: true
+
+  github-release:
+    name: >-
+        Sign the Python 🐍 distribution 📦 with Sigstore
+        and upload them to GitHub Release
+    needs:
+    - publish-to-pypi
+    runs-on: ubuntu-latest
+    timeout-minutes: 15  # Adjust based on typical signing and release time
+
+    permissions:
+        contents: write  # IMPORTANT: mandatory for making GitHub Releases
+        id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+            gh release create
+            '${{ github.ref_name }}'
+            --repo '${{ github.repository }}'
+            --generate-notes ||
+            (echo "::error::Failed to create release" && exit 1)
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Verify signature files exist
+      run: |
+       if ! ls dist/*.sigstore >/dev/null 2>&1; then
+         echo "::error::Signature files not found"
+         exit 1
+       fi
+
+       # Upload to GitHub Release using the `gh` CLI.
+       # `dist/` contains the built packages, and the
+       # sigstore-produced signatures and certificates.
+       gh release upload
+       '${{ github.ref_name }}' dist/**
+       --repo '${{ github.repository }}'

CONTRIBUTING.md

@@ -202,7 +202,18 @@ This should almost always be done using the [`xrpl-codec-gen`](https://github.co
 - Merge your changes.
 
 ### Release
-
+1. Please increment the version in `pyproject.toml` and update the `CHANGELOG.md` file appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+2. Please select a commit that is suitable for release and create a tag. The following commands can be helpful:
+`git tag -s -a <tag-title> -m "Optional Message describing the tag"`
+`git tag` -- This command displays all the tags in the repository.
+`git push <remote_name, e.g. upstream> tag <tag_title>`
+3. A [Github Workflow](.github/workflows/publish_to_pypi.yml) completes the rest of the Release steps (building the project, generating a .whl and tarball, publishing on the PyPI platform). The workflow uses OpenID Connect's temporary keys to obtain the necessary PyPI authorization.
+As a prerequisite, the PyPI `xrpl-py` project needs to authorize Github Actions as a "Trusted Publisher". This page contains helpful resources: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing
+4. Send an email to [xrpl-announce](https://groups.google.com/g/xrpl-announce).
+5. Post an announcement in the [XRPL Discord #python channel](https://discord.com/channels/886050993802985492/886053080913821717) with a link to the changes and highlighting key changes.
+
+
+**Note: If maintainers prefer to manually release the xrpl-py software distribution, the below steps are relevant.**
 1. Create a branch off main that properly increments the version in `pyproject.toml` and updates the `CHANGELOG` appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 2. Merge this branch into `main`.
 3. Locally build and download the package.