Apply suggestions from code review

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>

Author: chrysle

source/guides/github-actions-ci-cd-sample/publish-to-test-pypi.yml

@@ -2,13 +2,11 @@ name: Publish Python 🐍 distributions 📦 to PyPI and TestPyPI
 
 on: push
 
-# Only trigger this for tag changes.
-if: startsWith(github.ref, 'refs/tags/')
-
 jobs:
   build:
     name: Build the source package
     runs-on: ubuntu-latest
+
     steps:
     - uses: actions/checkout@v3
     - name: Set up Python
@@ -22,15 +20,19 @@ jobs:
         build
         --user
     - name: Build a binary wheel and a source tarball
-      run: >-
-        python3 -m
-        build
+      run: python3 -m build
     - name: Store the distribution packages
       uses: actions/upload-artifact@v3
       with:
         name: python-package-distributions
+        path: dist/
+
   publish-to-pypi:
-    name: Build and publish Python 🐍 distributions 📦 to PyPI
+    name: >-
+      Publish Python 🐍 distributions 📦 to PyPI
+      and sign them with Sigstore
+    needs:
+    - build
     runs-on: ubuntu-latest
     environment:
       name: pypi
@@ -46,8 +48,18 @@ jobs:
         path: dist/
     - name: Publish distribution 📦 to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v1.2.3
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+
   publish-to-testpypi:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+    - build
     runs-on: ubuntu-latest
     environment:
       name: testpypi
@@ -61,7 +73,7 @@ jobs:
       with:
         name: python-package-distributions
         path: dist/
-    - name: Publish distribution 📦 to Test PyPI
+    - name: Publish distribution 📦 to TestPyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
         repository-url: https://test.pypi.org/legacy/

source/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows.rst

@@ -25,9 +25,9 @@ Configuring trusted publishing
 This guide relies on PyPI's `trusted publishing`_ implementation to connect
 to `GitHub Actions CI/CD`_. This is recommended for security reasons, since 
 the generated tokens are created for each of your projects
-individually and expire automatically. Otherwise you'll need to generate an
+individually and expire automatically. Otherwise, you'll need to generate an
 `API token`_ for both PyPI and TestPyPI. In case of publishing to third-party
-indexes like :doc:`devpi <devpi:index>`, you will need to provide a
+indexes like :doc:`devpi <devpi:index>`, you may need to provide a
 username/password combination.
 
 Since this guide will demonstrate uploading to both
@@ -77,7 +77,7 @@ should make GitHub run this workflow:
    :language: yaml
    :end-before: jobs:
 
-This will also assure that the release workflow is only triggered
+This will also ensure that the release workflow is only triggered
 if the current commit is tagged. It is recommended you use the
 latest release tag; a tool like GitHub's dependabot can keep
 these updated regularly.
@@ -115,9 +115,11 @@ Defining a workflow job environment
 Now, let's add initial setup for our job that will publish to PyPI.
 It's a process that will execute commands that we'll define later.
 In this guide, we'll use the latest stable Ubuntu LTS version
-provided by GitHub Actions. This also defines the package index 
-to publish to, PyPI, and grants a permission to the action that 
-is mandatory for trusted publishing.
+provided by GitHub Actions. This also defines a GitHub Environment
+for the job to run in its context and a URL to be displayed in GitHub's
+UI nicely. Additionally, it allows aqcuiring an OpenID Connect token
+which is mandartory that the ``pypi-publish`` actions needs to
+implement secretless trusted publishing to PyPI.
 
 .. literalinclude:: github-actions-ci-cd-sample/publish-to-test-pypi.yml
    :language: yaml
@@ -134,9 +136,10 @@ Finally, add the following steps at the end:
    :lines: 41-48
 
 This step uses the `pypa/gh-action-pypi-publish`_ GitHub
-Action: After the stored distribution package has been 
+Action: after the stored distribution package has been 
 downloaded by the `download-artifact`_ action, it uploads 
 the contents of the ``dist/`` folder into PyPI unconditionally.
+This job also signs the artifacts with Sigstore right after publishing them to PyPI.
 
 Separate workflow for publishing to TestPyPI
 ============================================