Use Github-Actions for PyPI release process

[ckeshava]

High Level Overview of Change

This proposal is a quality-of-life improvement for developers. It seeks to automate the Release process, as detailed in the CONTRIBUTING.md file. It should not affect the experience of the end-users of the library.

If tagged commits are pushed into this repository, it triggers the Github Actions workflow as defined in publish_to_pypi.yml file. If required, it can be modified to run only on pushes to the main branch.

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update CHANGELOG.md?

• Yes
• No, this change does not impact library users

Objectives of this PR:
[x] Github Releases can also be included into the Github Actions script, using the gh command-line utility.
Note: The auto-generated notes in the Github Release page are minimalistic. A maintainer needs to manually fill-in the Breaking-Changes, Additions, Fixes sections.

[x] The distribution packages can be signed using Sigstore, for additional security. This ensures that downstream applications can use trusted deployments of xrpl-py software distribution.

More information can be found here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages

The sigstore hash is published as one of the assets on the Release page.

[x] Automatically publish the distribution onto PyPI

Test Plan

I have tested the process of publishing the package and upgrading the package at this PyPI test package location: https://pypi.org/project/xrpl-py-release-test.

Future Tasks

1. The Github Actions workflows are organized into disparate files (integration_test, unit_test and snippet_test). Github Actions does not allow easy access to external workflow files. Hence, it is difficult to ensure successful execution of tests, before publishing onto PyPI. This requires some investigation and refactoring of the CI/CD workflow files.
2. The xrpl-py docs generation step must be included as a pre-requisite Status Checks. This ensures that the maintainers can frequently pay attention to docs build failures.
3. It is worthwhile to investigate concurrency of the workflow runs for possible gains in latency. The CI/CD takes a non-trivial amount of time for completion.

Summary by CodeRabbit

• New Features

  • Introduced an automated GitHub Actions workflow for building and publishing the Python package to PyPI and GitHub Releases.
  • Added detailed steps for the release process in the CONTRIBUTING.md file, including version incrementing and tagging.

• Documentation

  • Updated CONTRIBUTING.md to clarify the release process and automate steps for maintainers.

[coderabbitai]

Walkthrough

This pull request introduces a new GitHub Actions workflow in publish_to_pypi.yml, automating the building, publishing, and signing of a Python package for PyPI and GitHub Releases. The workflow includes three main jobs: build, publish-to-pypi, and github-release, each performing specific tasks related to package management. Additionally, the CONTRIBUTING.md file has been updated to include detailed steps for the release process, emphasizing the use of Git commands and the new workflow for automated releases.

Changes

File	Change Summary
.github/workflows/publish_to_pypi.yml	Added a new workflow for publishing Python packages, including jobs for building, publishing to PyPI, and creating GitHub Releases.
CONTRIBUTING.md	Updated to include steps for preparing a release, including version incrementing, updating CHANGELOG, and tagging.

Possibly related PRs

• Update CHANGELOG.md #748: The changes in the CONTRIBUTING.md file regarding the release process and the automation of publishing to PyPI are relevant to the updates made in the publish_to_pypi.yml workflow, as both involve the release and publishing processes for the Python package.

Suggested reviewers

• anissa-ripple
• justinr1234

Poem

In the garden of code, we hop and play,
New workflows bloom, brightening the day.
With every tag pushed, our packages fly,
To PyPI they go, reaching for the sky!
So let’s raise a cheer, for changes so fine,
In the world of Python, our projects will shine! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ckeshava]

Here is a sample package that's published by this Github Actions workflow: https://pypi.org/project/xrpl-py-release-test/#description

Let me know if something is amiss. I verified that this package is published correctly, through pip install xrpl-py-release-test command on a fresh system.

[ckeshava]

I need to use some tags to test the publishing of "tagged commits". I will delete these test-tags once my testing is complete.

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (1)

.github/workflows/publish_to_pypi.yml (1)

1-49: Consider adding environment protection rules.

For additional security, consider defining a protected environment for PyPI deployments. This allows you to:

• Require approval before publishing
• Restrict which branches can deploy
• Limit which users/teams can approve deployments

Add environment configuration:

   publish-to-pypi:
     name: >-
         Publish Python 🐍 distribution 📦 to PyPI
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/xrpl-py/
     permissions:
         id-token: write

Then configure environment protection rules in your repository settings.

🧰 Tools

🪛 actionlint

25-25: shellcheck reported issue in this script: SC2086:info:2:28: Double quote to prevent globbing and word splitting

(shellcheck)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between c288a5a and f99a483.

📒 Files selected for processing (2)

• .github/workflows/publish_to_pypi.yml (1 hunks)
• pyproject.toml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

🧰 Additional context used

🪛 actionlint

.github/workflows/publish_to_pypi.yml

25-25: shellcheck reported issue in this script: SC2086:info:2:28: Double quote to prevent globbing and word splitting

(shellcheck)

[coderabbitai]

🛠️ Refactor suggestion

Enhance cache key specificity.

The cache key only includes the Poetry version. Consider adding the runner OS and Python version for better isolation.

-          key: dotlocal-${{ env.POETRY_VERSION }}
+          key: dotlocal-${{ runner.os }}-py${{ matrix.python-version }}-poetry${{ env.POETRY_VERSION }}

Committable suggestion was skipped due to low confidence.

[justinr1234]

@ckeshava agree here

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[ckeshava]

I'm not sure if this suggestion is helpful:

1. I'm using the default version of Python 3.x provided by this Github Actions runner. I believe this script uses only one version of Python.

- name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: "3.x"

2. This workflow is executed only on ubuntu-latest, not on any other operating systems.

Having said that, if the cache is used across multiple branches, it is useful to include environment info in the key. I'm surprised we haven't hit any snags although we've used a "broad" key in the tests workflows.

[justinr1234]

I mean the concept of using more specific keys in general

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

CONTRIBUTING.md (2)

207-207: Add context about GPG signing for tag creation.

The -s flag in the tag command indicates GPG signing. Consider adding a note about GPG key setup requirements, as this might confuse contributors who haven't configured GPG signing.

Consider adding this note before the command:

+Note: The following command uses GPG signing (-s flag). Ensure you have a GPG key configured with Git first. If you haven't set this up, see GitHub's guide on GPG key configuration.

---

211-211: Format the bare URL as a proper Markdown link.

The bare URL should be formatted as a proper Markdown link for better readability and consistency.

-This page contains helpful resources: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing
+This page contains helpful resources: [Trusted Publishing Configuration](https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing)

🧰 Tools

🪛 Markdownlint

211-211: null
Bare URL used

(MD034, no-bare-urls)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between f99a483 and 7fe66c5.

📒 Files selected for processing (1)

• CONTRIBUTING.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

CONTRIBUTING.md

[style] ~212-~212: Consider using “email”.
Context: ...lows/#configuring-trusted-publishing 4. Send an email to [xrpl-announce](https://groups.google.c...

(SEND_AN_EMAIL)

🪛 Markdownlint

CONTRIBUTING.md

211-211: null
Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (1)

CONTRIBUTING.md (1)

216-216: LGTM! Clear distinction between automated and manual processes.

The note clearly indicates that the manual release process is optional while preserving the information for maintainers who prefer this approach.

[justinr1234]

@ckeshava agree here

[justinr1234]

Link to docs

[ckeshava]

are you referring to Github Actions docs?
id-token refers to the temporary OpenConnectID token that's assigned to Github Actions by PyPI. I've included docs inside the CONTRIBUTING.md file.

[justinr1234]

When you say something is mandatory, it’s best to link to why

[ckeshava]

fixed in 71f529e

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7fe66c5 and e81ac65.

📒 Files selected for processing (2)

• .github/workflows/publish_to_pypi.yml (1 hunks)
• pyproject.toml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pyproject.toml

🧰 Additional context used

🪛 actionlint

.github/workflows/publish_to_pypi.yml

25-25: shellcheck reported issue in this script: SC2086:info:2:28: Double quote to prevent globbing and word splitting

(shellcheck)

[ckeshava]

For some reason, the CodeRabbit AI reminds me of the bunny in Zootopia :)), but helpful suggestions. Thanks.

[justinr1234]

Did you document this and other places where we use poetry to give contributors and understanding where all they need to make changes

[ckeshava]

Hmm, I have not explicitly documented the usage of poetry. At the moment, it is used in all the Github Actions workflows.

In another PR, the version of poetry has already been updated to 1.8.3 in all the Github Actions workflows. I need to rebase this feature branch.

Are you referring something else for documentation?

[justinr1234]

Don’t we have a file to specify the version of Python?

[ckeshava]

I haven't come across such a file. We specify all the supported versions of python explicitly in a list, here is an example:

xrpl-py/.github/workflows/integration_test.yml

Line 20 in edfb99b

python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]

But its a good idea to refactor these common elements from all the Github Actions workflows. I need to investigate how to link external files/ENV-VARIABLES inside these workflows.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

.github/workflows/publish_to_pypi.yml (2)

24-25: Document cache key design.

The simple cache key design should be documented to explain why only Poetry version is sufficient.

Add a comment explaining the cache key design:

      with:
          path: /home/runner/.local
+         # Cache key only includes Poetry version as the cache is Poetry-specific
+         # and independent of Python version or OS
          key: dotlocal-${{ env.POETRY_VERSION }}

---

114-116: Improve release upload command formatting.

The command formatting can be improved for better readability and maintainability.

-       gh release upload
-       '${{ github.ref_name }}' dist/**
-       --repo '${{ github.repository }}'
+       gh release upload \
+         '${{ github.ref_name }}' \
+         dist/** \
+         --repo '${{ github.repository }}'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e81ac65 and 64cf7da.

📒 Files selected for processing (1)

• .github/workflows/publish_to_pypi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/publish_to_pypi.yml

28-28: shellcheck reported issue in this script: SC2086:info:2:30: Double quote to prevent globbing and word splitting

(shellcheck)

---

64-64: input "retry-on-error" is not defined in action "pypa/gh-action-pypi-publish@release/v1". available inputs are "attestations", "packages-dir", "packages_dir", "password", "print-hash", "print_hash", "repository-url", "repository_url", "skip-existing", "skip_existing", "user", "verbose", "verify-metadata", "verify_metadata"

(action)

---

105-105: shellcheck reported issue in this script: SC2215:warning:11:1: This flag is used as a command name. Bad line break or missing [ .. ]?

(shellcheck)

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 64cf7da and 71f529e.

📒 Files selected for processing (1)

• .github/workflows/publish_to_pypi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/publish_to_pypi.yml

28-28: shellcheck reported issue in this script: SC2086:info:2:30: Double quote to prevent globbing and word splitting

(shellcheck)

---

66-66: key "verbose" is duplicated in "with" section. previously defined at line:65,col:9. note that this key is case insensitive

(syntax-check)

---

106-106: shellcheck reported issue in this script: SC2215:warning:11:1: This flag is used as a command name. Bad line break or missing [ .. ]?

(shellcheck)

🪛 yamllint

.github/workflows/publish_to_pypi.yml

[warning] 5-5: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 12-12: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 15-15: wrong indentation: expected 6 but found 4

(indentation)

---

[warning] 24-24: wrong indentation: expected 8 but found 10

(indentation)

---

[warning] 52-52: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 54-54: wrong indentation: expected 6 but found 4

(indentation)

---

[error] 66-66: duplication of key "verbose" in mapping

(key-duplicates)

---

[warning] 73-73: wrong indentation: expected 6 but found 4

(indentation)

---

[warning] 78-78: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 82-82: wrong indentation: expected 6 but found 4

(indentation)

[coderabbitai]

⚠️ Potential issue

Remove duplicate 'verbose' key.

The 'verbose' key is duplicated in the PyPI publish step configuration.

      with:
        verbose: true
-        verbose: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	with:
	verbose: true
	verbose: true
	with:
	verbose: true

🧰 Tools

🪛 actionlint

66-66: key "verbose" is duplicated in "with" section. previously defined at line:65,col:9. note that this key is case insensitive

(syntax-check)

🪛 yamllint

[error] 66-66: duplication of key "verbose" in mapping

(key-duplicates)

[coderabbitai]

⚠️ Potential issue

Fix release upload command formatting.

The current command formatting could cause issues. Each argument should be on a new line with proper continuation.

-       gh release upload
-       '${{ github.ref_name }}' dist/**
-       --repo '${{ github.repository }}'
+       gh release upload \
+           '${{ github.ref_name }}' \
+           dist/** \
+           --repo '${{ github.repository }}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	gh release upload
	'${{ github.ref_name }}' dist/**
	--repo '${{ github.repository }}'
	gh release upload \
	'${{ github.ref_name }}' \
	dist/** \
	--repo '${{ github.repository }}'

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

.github/workflows/publish_to_pypi.yml (1)

103-106: Fix release upload command formatting.

The current command formatting could cause issues. Each argument should be on a new line with proper continuation.

-      run: >-
-        gh release upload
-        '${{ github.ref_name }}' dist/**
-        --repo '${{ github.repository }}'
+      run: |
+        gh release upload \
+          '${{ github.ref_name }}' \
+          dist/** \
+          --repo '${{ github.repository }}'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 71f529e and 817d97d.

📒 Files selected for processing (1)

• .github/workflows/publish_to_pypi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/publish_to_pypi.yml

29-29: shellcheck reported issue in this script: SC2086:info:2:30: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (2)

.github/workflows/publish_to_pypi.yml (2)

58-61: 🛠️ Refactor suggestion

Add package metadata verification.

Enable metadata verification to ensure all required PyPI package metadata fields are properly set before publishing.

      uses: pypa/gh-action-pypi-publish@release/v1
      with:
        verbose: true
+       verify-metadata: true

Likely invalid or redundant comment.

---

25-26: 🛠️ Refactor suggestion

Enhance cache key with poetry.lock hash.

The current cache key only depends on the Poetry version. Including a hash of poetry.lock would ensure cache invalidation when dependencies change.

-          key: dotlocal-${{ env.POETRY_VERSION }}
+          key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}

Likely invalid or redundant comment.

[coderabbitai]

⚠️ Potential issue

Restrict tag pattern to version tags.

The current pattern '*' will trigger on any tag. Since this is a release workflow, it should only trigger on version tags.

 on:
   push:
     tags:
-        - '*'
+        - 'v[0-9]+.[0-9]+.[0-9]+*'  # Matches semantic version tags like v1.2.3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	push:
	tags:
	- '*'
	on:
	push:
	tags:
	- 'v[0-9]+.[0-9]+.[0-9]+*' # Matches semantic version tags like v1.2.3

[ckeshava]

Since there is a possibility of releasing specific feature-builds (like AMM, MPT, etc), I will not incorporate this suggestion. I prefer to leave some flexibility in definition of the tags.

[coderabbitai]

@ckeshava, understood. I'll note this preference for future reviews.

(_/)
( ._.)
/

---

✏️ Learnings added

Learnt from: ckeshava
PR: XRPLF/xrpl-py#760
File: .github/workflows/publish_to_pypi.yml:2-5
Timestamp: 2024-10-29T22:43:38.925Z
Learning: In the `.github/workflows/publish_to_pypi.yml` file, when configuring the tag pattern for triggering the release workflow, use the flexible pattern `'*'` instead of restricting to version tags. This allows for releasing specific feature builds (like AMM, MPT, etc.) and provides more flexibility in the tagging process.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[ckeshava]

@khancode can you please review this PR?

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)

.github/workflows/publish_to_pypi.yml (1)

24-26: Enhance cache key specificity.

The cache key could be more specific by including the runner OS to prevent potential cache conflicts.

         path: /home/runner/.local
-         key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}
+         key: dotlocal-${{ runner.os }}-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 817d97d and 1c77cfb.

📒 Files selected for processing (1)

• .github/workflows/publish_to_pypi.yml (1 hunks)

🧰 Additional context used

📓 Learnings (1)

.github/workflows/publish_to_pypi.yml (1)

Learnt from: ckeshava
PR: XRPLF/xrpl-py#760
File: .github/workflows/publish_to_pypi.yml:2-5
Timestamp: 2024-10-29T22:43:40.212Z
Learning: In the `.github/workflows/publish_to_pypi.yml` file, when configuring the tag pattern for triggering the release workflow, use the flexible pattern `'*'` instead of restricting to version tags. This allows for releasing specific feature builds (like AMM, MPT, etc.) and provides more flexibility in the tagging process.

🪛 actionlint

.github/workflows/publish_to_pypi.yml

29-29: shellcheck reported issue in this script: SC2086:info:2:30: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (1)

.github/workflows/publish_to_pypi.yml (1)

40-63: LGTM! Well-configured PyPI publishing job.

The job includes all necessary safety measures:

• Explicit dependency on build job
• Timeout configuration
• Proper permissions for trusted publishing
• Artifact verification

[coderabbitai]

🛠️ Refactor suggestion

Add build artifact verification step.

Add verification of built artifacts before uploading to ensure the build process completed successfully.

    - name: Build a binary wheel and a source tarball
      run: poetry build
+   - name: Verify built artifacts
+     run: |
+       ls dist/*.whl dist/*.tar.gz || exit 1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Build a binary wheel and a source tarball
	run: poetry build
	- name: Build a binary wheel and a source tarball
	run: poetry build
	- name: Verify built artifacts
	run: |
	ls dist/*.whl dist/*.tar.gz || exit 1

[coderabbitai]

🛠️ Refactor suggestion

Improve release upload command formatting and verification.

Add signature file verification and improve command readability.

+     # Verify signature files exist
+     run: |
+       if ! ls dist/*.sigstore >/dev/null 2>&1; then
+         echo "::error::Signature files not found"
+         exit 1
+       fi
      # Upload to GitHub Release
-     run: >-
-       gh release upload
-       '${{ github.ref_name }}' dist/**
-       --repo '${{ github.repository }}'
+     run: |
+       gh release upload \
+         '${{ github.ref_name }}' \
+         dist/** \
+         --repo '${{ github.repository }}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: >-
	gh release upload
	'${{ github.ref_name }}' dist/**
	--repo '${{ github.repository }}'
	# Verify signature files exist
	run: |
	if ! ls dist/*.sigstore >/dev/null 2>&1; then
	echo "::error::Signature files not found"
	exit 1
	fi
	# Upload to GitHub Release
	run: |
	gh release upload \
	'${{ github.ref_name }}' \
	dist/** \
	--repo '${{ github.repository }}'

[khancode]

LGTM, great work 👍