Refactor github CI workflows

- `publish.yaml`: Publish to test.pypi.org and pypi.org in the same job.
  - Use a single deployment environment (`publish-pypi`) for both test
    and production publishing endpoints.
- `ci-workflow.yaml`: A high level reusable workflow to call other workflows.
  - Orchestrate all CI jobs from a single workflow.
  - Use workflow inputs (`jobs`) to control which jobs to run.
- `ci.yaml`: Configure the CI workflow to use the new ci-workflow.yaml.
  - Here is where the triggers and workflow configuration are set.
  - This file will call `ci-workflow.yaml` with the appropriate inputs.

Assumes tests and code checks are run by `tox` and configured in the
`pyproject.toml` file.

Author: glenn20

.github/workflows/ci-release.yaml

@@ -0,0 +1,107 @@
+name: CI Workflow
+
+#   A reusable github workflow to run python CI workflows, including static code
+#   checks, automated testing (using pytest and tox), package building,
+#   publishing to test.pypi.org and pypi.org, and creating a GitHub release.
+#
+#   The workflow elements to selected are specified in the `jobs` input. The
+#   default is to run the `test` and `build` jobs. The CI workflow is
+#   configured in the tox-gh config (eg. pyproject.toml). See
+#   https://github.com/tox-dev/tox-gh.
+#
+#   Accepts the following inputs as json strings:
+#   - `jobs`: the list of jobs to run,
+#   - `os`: the list of operating systems on which to run tests, and
+#   - `python-version`: the list of python versions on which to run tests.
+#
+#   Assumes the configurations for all tools (`mypy`, `uv`, `ruff`, `pytest`,
+#   ...) are fully specified in config files (eg `pyproject.toml`).
+#
+#   These workflows use `tox`, as it can be more easily customised in your
+#   pyproject.toml so that the same CI process runs on your local computer and
+#   on github.
+#
+#   All workflows use astral `uv` to execute actions wherever possible.
+
+on:
+  workflow_call:
+    inputs:
+      jobs:
+        description: >-
+          A json string containing the list of jobs to run. Available jobs are:
+          - `check`: Run static code checks (using `mypy`, `ruff`, etc.).
+          - `test`: Run tests and code checks using `tox`.
+          - `build`: Build the python package.
+          - `publish-test`: Publish the package to test.pypi.org.
+          - `publish`: Publish the package to pypi.org (runs `publish-test`).
+          - `release`: Create a GitHub release.
+          The default is `["test", "build"]`.
+        default: '["test", "build"]'
+        type: string
+        required: false
+      os:
+        description: >-
+          A json string containing the list of operating systems on which to
+          run the test matrix.
+        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        type: string
+        required: false
+      python-version:
+        description: >-
+          A json string containing the list of python versions on
+          which to run the test matrix.
+        default: '["3.9", "3.10", "3.11", "3.12", "3.13"]'
+        type: string
+        required: false
+
+jobs:
+  init:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Select the workflow configuration
+        run: |  # Find the matching environment variable based on the event trigger
+          echo '${{ github.repository }}'
+
+  test:
+    if: ${{ contains(fromJson(inputs.jobs), 'test') }}
+    name: Tests
+    uses: glenn20/python-ci/.github/workflows/test-tox.yaml@dev
+    with:
+      os: ${{ inputs.os }}
+      python-version: ${{ inputs.python-version }}
+    permissions:
+      id-token: none
+      contents: none
+
+  build:
+    if: ${{ contains(fromJson(inputs.jobs), 'build') }}
+    name: Build python package
+    uses: glenn20/python-ci/.github/workflows/build.yaml@dev
+    permissions:
+      id-token: none
+      contents: none
+
+  # The publish workflows must be located in your project repository, not in the
+  # python-ci repository, so that trusted publishing to pypi.org can be used.
+  # Copy the `publish.yaml` workflow from
+  # `https://github.com/glenn20/python-ci/tree/main/examples/publish.yaml` to
+  # your project's `.github/workflows` directory.
+  publish:
+    if: ${{ contains(fromJson(inputs.jobs), 'publish-test') || contains(fromJson(inputs.jobs), 'publish') }}
+    name: Publish to pypi
+    uses: ${{ github.repository }}/.github/workflows/publish.yaml@dev
+    with:
+      test-only: ${{ !contains(fromJson(inputs.jobs), 'publish') }}
+    needs: [test, build]
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing!
+      contents: none  # IMPORTANT: mandatory for github release
+
+  release:
+    if: ${{ contains(fromJson(inputs.jobs), 'release') }}
+    name: Create GitHub release
+    uses: glenn20/python-ci/.github/workflows/github-release.yaml@dev
+    needs: [test, build]
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for github release
+      contents: write  # IMPORTANT: mandatory for github release

.github/workflows/ci-test-build.yaml

@@ -0,0 +1,69 @@
+name: CI workflow for python projects
+
+# Run the CI test workflow of jobs which includes:
+# - `check`: Run static code checks (using `mypy`, `ruff`, etc.).
+# - `test`: Run tests (and code checks) using `tox`.
+# - `build`: Build the python package.
+# - `publish-test`: Publish the package to test.pypi.org.
+# - `publish`: Publish the package to pypi.org (runs `publish-test`).
+# - `release`: Create a GitHub release.
+
+on:
+  push:
+    branches: ["**"]  # Push commits to any branch
+    tags: ["v[0-9]*"]  # Publish on tags matching "v*", eg. "v1.0.0"
+
+# Configure the workflows here. Each environment variable name should be a
+# wildcard matching the
+# `on-<github.event_name>-<github.ref_type>-<github.ref_name>` format. For
+# example, if the event is a push to a tag `v1.0.0`, the environment variable
+# `on-push-tag-v*` will match. The value of the matching variable will be
+# written to $GITHUB_OUTPUT to set the jobs, python versions, and operating
+# systems to run the workflow on. The first match found is used.
+env:
+  on-push-tag-*: |  # Push version tag matching "v*", eg. "v1.0.0"
+    jobs=["test", "build", "publish", "release"]
+    python-version=["3.9", "3.10", "3.11", "3.12", "3.13"]
+    os=["ubuntu-latest"]
+  on-push-branch-main: |  # Push commits to main branch
+    jobs=["test", "build", "publish-test"]
+    python-version=["3.9", "3.10", "3.11", "3.12", "3.13"]
+    os=["ubuntu-latest"]
+  on-push-branch-*: |  # Push commits to other branches
+    jobs=["test", "build", "publish-test"]
+    python-version=["3.9", "3.13"]
+    os=["ubuntu-latest"]
+
+jobs:
+  config:
+    # Select the workflow config based on the event trigger.
+    runs-on: ubuntu-latest
+    outputs:
+      jobs: ${{ steps.config.outputs.jobs }}
+      python-version: ${{ steps.config.outputs.python-version }}
+      os: ${{ steps.config.outputs.os }}
+    steps:
+      - name: Select the workflow configuration
+        id: config
+        run: |  # Find the matching environment variable based on the event trigger
+          tag="on-${{ github.event_name }}-${{ github.ref_type }}-${{ github.ref_name }}"
+          for key in $(echo '${{ toJson(env) }}' | jq -r 'keys_unsorted[]'); do
+            if [[ "$tag" == $key ]]; then
+              # Write value of the matching environment variable to $GITHUB_OUTPUT
+              echo '${{ toJson(env) }}' | jq -r ".[\"$key\"]" >> $GITHUB_OUTPUT
+              exit 0  # Stop after the first match
+            fi
+          done
+          echo "No matching environment variable found for '$tag'."
+
+  ci-workflow:
+    name: CI workflow
+    needs: config
+    uses: ./.github/workflows/ci-workflow.yaml
+    with:
+      jobs: ${{ needs.config.outputs.jobs }}
+      os: ${{ needs.config.outputs.os }}
+      python-version: ${{ needs.config.outputs.python-version }}
+    permissions:
+      id-token: write  # Required for trusted publishing!
+      contents: write  # Required for creating a GitHub release

.github/workflows/ci-test.yaml

@@ -1,11 +1,12 @@
 name: Publish python package
 
 # description: |- A github reusable workflow to publish a python package to
-#   pypi.org or test.pypi.org.
+#   pypi.org and test.pypi.org.
 #
 #   Input options:
-#   - `pypi: test.pypi`: Publish to test.pypi.org (default).
-#   - `pypi: upload.pypi`: Publish to pypi.org.
+#   - `test-only`:
+#       - If true, publish only to test.pypi.org (default).
+#       - If false, publish to both pypi.org and test.pypi.org.
 #
 #   The workflow invokes the github composite action
 #   `glenn20/python-ci/publish@v1` to publish the package.
@@ -14,42 +15,45 @@ name: Publish python package
 #   1. For trusted publishing, the publishing workflow must be in the project
 #      repository, so copy this workflow file to
 #      `.github/workflows/publish.yaml` in your repository.
-#   2. Create the `publish-test.pypi` and `publish-upload.pypi` Environments in
-#      your github repository (Settings->Environments->New Environment).
+#   2. Create the `publish-pypi` Environment in your github repository
+#      (Settings->Environments->New Environment).
 #   3. Add the name of this workflow file (publish.yaml) as a "trusted
 #      publisher" on your pypi and test.pypi project pages (add the name of the
 #      relevant Environment for additional access control).
-#   4. Call this workflow from a parent workflow with the `pypi` input set to
-#      "upload.pypi" or "test.pypi" (default).
-#
-#   Invoke with `uses: ./.github/workflows/publish.yaml` from a parent workflow.
+#   4. Call this workflow from a parent workflow with
+#      `uses: ./.github/workflows/publish.yaml`.
 
 on:
   workflow_call:
     inputs:
-      pypi:
-        description: 'Publish to `upload.pypi` or `test.pypi`:'
-        default: 'test.pypi'
+      test-only:
+        description: 'Only publish to `test.pypi` if set (default).'
+        default: true
         required: false
-        type: string
+        type: boolean
   workflow_dispatch:
     inputs:
-      pypi:
-        description: 'Set to "upload.pypi" or "test.pypi" (default).'
-        options: ['test.pypi', 'upload.pypi']
-        type: choice
+      test-only:
+        description: 'Only publish to "test.pypi" if set (default).'
+        default: true
+        type: boolean
 
 jobs:
   publish:
-    name: Publish to ${{ inputs.pypi }}
+    name: Publish to ${{ inputs.test-only && 'test.' || '' }}pypi.org
     runs-on: ubuntu-latest
     environment:
-      name: publish-${{ inputs.pypi }}
-      url: https://${{ inputs.pypi }}.org/p/${{ steps.publish.outputs.package-name }}
+      name: publish-pypi
+      url: https://${{ inputs.test-only && 'test.' || '' }}pypi.org/p/${{ steps.publish-test.outputs.package-name }}
     permissions:
-      id-token: write  # IMPORTANT: mandatory for trusted publishing
+      id-token: write  # Required for trusted publishing
     steps:
-      - uses: glenn20/python-ci/publish@dev
+      - uses: glenn20/python-ci/publish@v1
+        id: publish-test
+        with:
+          pypi: test.pypi
+      - uses: glenn20/python-ci/publish@v1
+        if: ${{ !inputs.test-only }}
         id: publish
         with:
-          pypi: ${{ inputs.pypi }}
+          pypi: upload.pypi

.github/workflows/ci-workflow.yaml

@@ -83,7 +83,8 @@ run.omit = ["_version.py"]
 report.skip_covered = false
 append = true
 
-[tool.tox.gh.python]  # For Github Actions workflow - see
+# For Github Actions workflow - see https://github.com/tox-dev/tox-gh
+[tool.tox.gh.python]
 "3.13" = ["clean", "typing", "lint", "format", "3.13"]
 "3.12" = ["3.12"]
 "3.11" = ["3.11"]
@@ -111,7 +112,6 @@ dependency_groups = ["test"]  # Everything we need to run the tox tests
 labels = ["test"]
 package = "editable"  # "editable" runs a bit faster then "wheel"
 runner = "uv-venv-runner"  # We love uv
-passenv = ["GITHUB_ACTIONS"]  # So conftest.py knows we are running in github actions
 
 [tool.tox.env.3.13]
 # Run coverage tests only on the latest python version