ci: 👷 improve publishing workflow to comply with pypi recommendations

[truehazker]

update build artifacts versions

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline tools to latest versions with enhanced caching support
  • Restructured release process with separate testing and production publishing workflows to improve reliability and control over distribution channels

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions workflows were modernized across CI and publishing pipelines. The CI workflow now triggers on additional branches (release/, hotfix/) and uses newer action versions with caching. The publishing workflow was refactored from a single job into three separate jobs with distinct responsibilities for building, publishing to TestPyPI, and publishing to PyPI, with explicit artifact dependencies.

Changes

Cohort / File(s)	Summary
CI Workflow Updates .github/workflows/ci.yml	Updated checkout action to v6 with persist-credentials disabled; upgraded setup-uv to v7 with caching enabled; expanded push triggers to include release/* and hotfix/* branches; applied updates consistently across lint, typecheck, and test jobs
Publishing Workflow Refactoring .github/workflows/publish.yml	Split single publish job into three: build (new job building distributions and uploading artifacts), publish-to-testpypi (branch-triggered publishing to TestPyPI), and publish-to-pypi (tag-triggered publishing to PyPI); replaced release event trigger with explicit branch and tag push triggers; added artifact download steps and environment configurations for each publishing target

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• publish.yml job dependencies: Verify that publish-to-testpypi and publish-to-pypi correctly depend on the build job and properly download artifacts
• Trigger conditions: Carefully validate that the new trigger patterns (release/, hotfix/, v* tags) match intended release flows and don't accidentally trigger unintended publishes
• Permission scopes: Ensure expanded permissions sections across the new jobs are correctly scoped for artifact access and PyPI/TestPyPI authentication
• Action version compatibility: Confirm that setup-uv v7 and checkout v6 work as expected with existing caching and credential handling

Poem

🐰 Our workflows run faster with caches so bright,
Three publishing jobs make the pipeline just right,
From branches and tags, releases take flight,
Astral-sh and persist-false work day and night,
The CI/CD dance now flows with delight! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: improving the publishing workflow (split into separate jobs) and updating CI steps to comply with PyPI best practices.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/pypi-publishing

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c6ef9e and 3cb070c.

📒 Files selected for processing (2)

• .github/workflows/ci.yml (3 hunks)
• .github/workflows/publish.yml (1 hunks)

🔇 Additional comments (11)

.github/workflows/ci.yml (4)

8-9: Expanded branch triggers appropriately for release workflows.

Adding release/* and hotfix/* branches aligns with the publishing workflow changes and follows common gitflow patterns. This ensures CI runs on all relevant branches before publishing.

---

19-24: Good security and performance improvements in CI setup.

Updating to actions/checkout@v6 with persist-credentials: false reduces credential exposure, and enabling cache in astral-sh/setup-uv@v7 improves CI performance. These are solid modernization choices.

---

32-37: Consistent updates applied to typecheck job.

The same security and caching improvements from the lint job are correctly applied here.

---

47-53: Consistent updates applied across all Python versions in matrix.

The checkout and setup-uv updates are correctly propagated to the test job across all matrix configurations.

.github/workflows/publish.yml (7)

1-9: Trigger mechanism aligned with PyPI recommendations.

The shift from GitHub Release events to explicit branch and tag pushes is more predictable and aligns with PyPI's trusted publishing model. The conditional logic (if: github.ref_type == 'branch' for TestPyPI, if: github.ref_type == 'tag' for PyPI) correctly separates pre-release and production workflows.

---

12-29: Build job correctly separates artifact creation from publishing.

The dedicated build job creates distributions once and uploads them as artifacts, which both publish jobs then consume. This follows the recommended pattern of building once and reusing artifacts, improving reproducibility and reducing build latency.

---

16-24: Consistent security and caching setup across build job.

The checkout and setup-uv configuration mirrors the CI workflow improvements, maintaining consistency across the entire CI/CD pipeline.

---

31-42: Trusted publishing configuration for TestPyPI.

The environment reference and OIDC permissions (id-token: write) correctly enable GitHub's trusted publishing feature for TestPyPI. The skip-existing: true flag allows idempotent re-runs without failing on duplicate versions.

---

45-54: Correct artifact download and publish pattern for TestPyPI.

Artifacts are downloaded before publishing with the correct path matching the build job's upload path. Using pypa/gh-action-pypi-publish@release/v1 with repository-url for TestPyPI is the recommended approach and currently points to v1.13.0.

---

56-76: Trusted publishing configuration for PyPI.

The PyPI job mirrors TestPyPI's structure with OIDC permissions and environment reference. The tag-based conditional correctly gates PyPI publishing to tagged releases. Confirm that the publish-to-pypi job definition is complete and includes all necessary steps beyond line 76.

---

56-76: Version of pypa/gh-action-pypi-publish is appropriate and job structure is complete.

The release/v1 branch pointer is the official recommended replacement for the sunset master version, documented in the Python Packaging User Guide as the standard for trusted publishing to PyPI. The publish-to-pypi job is complete with proper artifact download and publishing steps, appropriate permissions, environment configuration, and conditional execution on tag events.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}