@woodruffw just wanted to say that I like the proposal overall. I now showcase using Sigstore in a separate job in the PyPUG guide, that uploads the signatures along with the dists to GitHub Releases. Perhaps, that could indeed be moved into my action. However, one of the reasons that job is separate is that (1) it allows making sure that the PyPI publishing actually succeeds (fully, for all the artifacts) and (2) the publishing job is retriable separetly from the signing one. Perhaps, we need to discuss the considerations around this in a separate discussion.
In general, I’m happy to accept experimental provenance-related features in the action even before there’s infra on the PyPI side and expose that to the action callers for publishing to GitHub Releases and elsewhere.
Moreover, my PyPUG guide demonstrates an example where a publishing workflow is configured to “pause” right before performing said publishing, which allows for artifact inspection if one needs that: Publishing package distribution releases using GitHub Actions CI/CD workflows - Python Packaging User Guide.
Yes, this is one of the reasons I prefer a workflow_dispatch trigger over push or release since it allows the resulting changes to Git happen once the workflow “knows” that publishing to the PyPI succeeded and not vice versa. I didn’t include an example of this into the above guide because it’s somewhat more complicated to set up.
Still with the guide advertising a way to pause the release workflow, perform any checks you want and proceed with actual upload by an explicit click on a button, I believe it actually implements your “manual checkpoint” request as I understand it. I also share a similar opinion which was one of the main reasons I’ve been pushing for including examples with GitHub Environments, pauses and job separation in all the docs advertising Trusted Publishing.
I understand your desire to be more in control, though, and be able to publish manually. Yet, I don’t think that having a GHA-based pipeline prevents use of that manual workflow. It sounds like having two interfaces to do this might be an acceptable middle ground for many projects.
P.S. I see now that some of the points have been addressed in later comments already so don’t feel the need to respond.