[build] Enable attestations for trusted publishing (#11420)

Reverts 428ffb75aa3534b275cf54de42693a4d261519da

Authored by: bashonly

4 files changed, 50 insertions, 6 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d062d7720..c18843cfc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -504,7 +504,8 @@ jobs:
       - windows32
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/download-artifact@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
         with:
           path: artifact
           pattern: build-bin-*
diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml
index c49319b17..78445e417 100644
--- a/.github/workflows/release-master.yml
+++ b/.github/workflows/release-master.yml
@@ -28,3 +28,20 @@ jobs:
       actions: write  # For cleaning up cache
       id-token: write  # mandatory for trusted publishing
     secrets: inherit
+
+  publish_pypi:
+    needs: [release]
+    if: vars.MASTER_PYPI_PROJECT != ''
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          name: build-pypi
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
index b536c5066..8f7284405 100644
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -41,3 +41,20 @@ jobs:
       actions: write  # For cleaning up cache
       id-token: write  # mandatory for trusted publishing
     secrets: inherit
+
+  publish_pypi:
+    needs: [release]
+    if: vars.NIGHTLY_PYPI_PROJECT != ''
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          name: build-pypi
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bc09c64d..26b93e429 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,10 +2,6 @@ name: Release
 on:
   workflow_call:
     inputs:
-      prerelease:
-        required: false
-        default: true
-        type: boolean
       source:
         required: false
         default: ''
@@ -18,6 +14,10 @@ on:
         required: false
         default: ''
         type: string
+      prerelease:
+        required: false
+        default: true
+        type: boolean
   workflow_dispatch:
     inputs:
       source:
@@ -278,11 +278,20 @@ jobs:
           make clean-cache
           python -m build --no-isolation .
 
+      - name: Upload artifacts
+        if: github.event_name != 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-pypi
+          path: |
+            dist/*
+          compression-level: 0
+
       - name: Publish to PyPI
+        if: github.event_name == 'workflow_dispatch'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           verbose: true
-          attestations: false  # Currently doesn't work w/ reusable workflows (breaks nightly)
 
   publish:
     needs: [prepare, build]