Isolate package build and publish

[hugovk]

This follows the https://github.com/python/blurb/blob/main/.github/workflows/release.yml pattern as much as possible, which is very similar to the other PyPI Trusted Publishing workflows we have under https://github.com/python/, which will help ease maintenance burden.

As before, it publishes to Test PyPI for commits to main, and to prod PyPI when releases are created.

The main difference is we build the artifacts (sdist and wheel) in an isolated job then upload as GH artifacts. Then another isolated job will download and publish to the relevant index.

This isolates the installation of build deps from the job that uploads, and helps prevent supply chain attacks.

It will also run when we're not in "publish mode", and verify the artifacts can be built. We also get a nice summary of the packages and their contents. For example:

• https://github.com/hugovk/tzdata/actions/runs/24910411359

This also includes extra linting of artifacts. There was a bunch of "W002: Wheel contains duplicate files" warnings:

• https://github.com/hugovk/tzdata/actions/runs/24910168446/job/72949537402

I've ignored these, as I think these are inherent to how tzdata is built? Anyway, this is pre-existing in the last published wheel: check-wheel-contents --no-config tzdata-2026.2-py2.py3-none-any.whl

[StanFromIreland]

Hmm, I won't be able to do releases in one PR now, right? It'll require me to do two.

[hugovk]

Please could you explain your current release process?

https://github.com/python/tzdata/blob/master/docs/maintaining.rst#making-a-release doesn't mention PRs.

That says:

• Push a tag -> publishes to Test PyPI.
• Create a GH release -> publishes to PyPI.

[StanFromIreland]

Push a tag -> publishes to Test PyPI.

I can push a tag for a commit in a PR, as long as it's from a branch in this repository (which is what the bot does).

[StanFromIreland]

Won't this fail due to duplicate version numbers?

[hugovk]

Good point. As mentioned, blurb uses hatch-vcs so dev versions are like 2.0.1.dev37 and will change based on the number of commits since the last tag. So it's not a problem there.

Will have to rethink this!

[hugovk]

I think changing the if: guard to pushed tags would work?

Then we can still test the package build works when not publishing. And only publish for tags (Test PyPI) and releases (prod PyPI).

[hugovk]

Okay, how's it look now?

[StanFromIreland]

Is it possible to also verify that all the tests have passed before uploading?

[hugovk]

Yes, we could change:

To add a test gate in the middle:

But tests already run on every PR and every merge to master, so usually the precondition is that the CI is green before you even start a release.

But can add it if you like?

[StanFromIreland]

But tests already run on every PR and every merge to master, so usually the precondition is that the CI is green before you even start a release.

Yes, but currently I've manually been checking before making the release, which I don't like (or maybe I'm just too misanthropic ;-). If it is a terrible pain to do I can merge this as-is.

[hugovk]

Sure, I wouldn't bother for a repo I'm maintaining, but I'm not maintaining this one :)

How's this?

[StanFromIreland]

Last few nits, thanks Hugo!

[StanFromIreland]

Thanks Hugo!