Add a workflow to release and sign wheels

.github/workflows/cd.yaml

@@ -0,0 +1,95 @@
+name: CD
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to build Zig wheels for'
+        required: true
+        default: 'latest'
+      suffix:
+        description: >
+          Suffix to append to the version in the wheel filename, useful for dev versions and version specifiers
+        required: false
+        default: ''
+      platforms:
+        description: >
+          Comma-separated values of platforms to build wheels for
+        required: false
+        default: 'x86_64-windows,x86-windows,x86_64-macos,aarch64-macos,i386-linux,x86-linux,x86_64-linux,aarch64-linux,armv7a-linux'
+      push_to_pypi:
+        description: >
+          Whether to push the built wheels to PyPI. Can be 'true' or 'false', defaults to 'false'.
+        required: false
+        default: 'false'
+
+jobs:
+  build_wheels:
+    name: Build wheels
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d  # v5.1.0
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install .
+
+      - name: Build wheels for all platforms
+        shell: bash
+        run: |
+          platforms=${{ github.event.inputs.platforms }}
+          IFS=',' read -r -a platform_array <<< "$platforms"
+          for platform in "${platform_array[@]}"; do
+            python make_wheels.py \
+            --version ${{ github.event.inputs.version }} \
+            --suffix ${{ github.event.inputs.suffix }} \
+            --platform "$platform"
+          done
+
+      - name: Upload wheel artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3
+        with:
+          name: zig-wheels
+          path: dist/*.whl
+
+  deploy_wheels:
+    name: Deploy wheels
+    needs: [build_wheels]
+    environment: pypi
+    runs-on: ubuntu-latest
+    permissions:
+      # Required by
+      # 1. OIDC to publish to PyPI, and
+      # 2. Sigstore to sign artifacts
+      id-token: write
+    if: >-
+      github.event_name == 'workflow_dispatch' &&
+      github.event.inputs.push_to_pypi == 'true' &&
+      github.repository == 'ziglang/zig-pypi'
+    steps:
+      - name: Download wheel artifacts
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e  # v4.1.7
+        with:
+          path: dist/
+          merge-multiple: true
+
+      - name: Publish wheels to PyPI
+        uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450  # v1.8.14
+        with:
+          packages-dir: dist/
+
+      - name: Sign artifacts with Sigstore
+        uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2  # v2.1.1
+        with:
+          inputs: >-
+            ./dist/*.whl
+
+      - name: Upload signed artifacts and signature files
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3
+        with:
+          # This will contain not only the wheels but also the signature files
+          # generated by the Sigstore step
+          path: dist/*