Add production release automation

Author: chrishas35

.github/workflows/publish.yaml

@@ -2,7 +2,7 @@ name: Publish Python Package
 
 on:
   push:
-    branches: [main, wip]
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -30,14 +30,75 @@ jobs:
         with:
           name: python-packages
           path: dist/
+  
+  publish-to-pypi:
+    name: Publish to PyPI
+    if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
+    runs-on: ubuntu-24.04
+    needs: [build]
+    environment:
+      name: pypi
+      url: https://pypi.org/p/simplefin
+    permissions:
+      id-token: write
+    steps:
+      - name: Download distribution packages
+        uses: actions/download-artifact@v4
+        with:
+          name: python-packages
+          path: dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
+  
+  github-release:
+    name: Create GitHub Release
+    needs: publish-to-pypi
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: write
+      id-token: write
+    
+    steps:
+      - name: Download distribution packages
+        uses: actions/download-artifact@v4
+        with:
+          name: python-packages
+          path: dist/
+      - name: Sign the dists with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+      - name: Create GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: >-
+          gh release create
+          "$GITHUB_REF_NAME"
+          --repo "$GITHUB_REPOSITORY"
+          --notes ""
+      - name: Upload artifact signatures to GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        # Upload to GitHub Release using the `gh` CLI.
+        # `dist/` contains the built packages, and the
+        # sigstore-produced signatures and certificates.
+        run: >-
+          gh release upload
+          "$GITHUB_REF_NAME" dist/**
+          --repo "$GITHUB_REPOSITORY"
 
   publish-to-testpypi:
     name: Publish to PyPI-Test
     runs-on: ubuntu-24.04
     needs: [build]
     environment:
       name: testpypi
-      url: https://test.pypi.org/p/simplefin-python
+      url: https://test.pypi.org/p/simplefin
     permissions:
       id-token: write
     steps:
@@ -46,7 +107,7 @@ jobs:
         with:
           name: python-packages
           path: dist/
-      - name: Publish to PyPI
+      - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/