update github workflow

Author: mxmpl

.github/workflows/release.yml

@@ -1,45 +1,107 @@
 name: Release Workflow
+permissions: {}
 
 on:
   push:
     tags:
       - "*"
 
 jobs:
-  build:
-    name: Build wheel and create release
+  lint:
+    name: Linters
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Fetch repository
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: zizmor
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+
+      - name: typos
+        uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0
 
-      - name: Linter
-        uses: astral-sh/ruff-action@v3
+      - name: Ruff
+        uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1
 
-      - name: Get tag name
-        id: get_tag
-        run: echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    needs: lint
+    permissions:
+      contents: read # Fetch repository
+      actions: write # Upload artifact
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
         with:
           version: "latest"
+          enable-cache: false
 
-      - name: Build wheel
+      - name: Build wheel and sdist
         run: uv build
 
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+      - name: Upload dists
+        uses: actions/upload-artifact@v5
         with:
-          name: dist-${{ matrix.os }}
-          path: ./dist/*
+          name: python-package-distributions
+          path: dist/
 
-      - name: Create Release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAG: ${{ steps.get_tag.outputs.TAG_NAME }}
-        run: gh release create "$TAG" ./dist/*
+  publish-to-pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: publish-to-pypi
+    permissions:
+      actions: read # Download artifact
+      id-token: write # Needed for trusted publishing
+    steps:
+      - name: Download all dists
+        uses: actions/download-artifact@v6
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+        with:
+          version: "latest"
+          enable-cache: false
 
       - name: Upload to PyPI
-        run: uv publish -t ${{ secrets.UV_PUBLISH_TOKEN }}
+        run: uv publish --trusted-publishing always
+
+
+  github-release:
+    name: GitHub release
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      actions: read # Download artifact
+      contents: write # Create GitHub release
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
+      - name: Download all dists
+        uses: actions/download-artifact@v6
+        with:
+          name: python-package-distributions
+          path: ./dist/
+
+      - name: Create release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: gh release create "${GITHUB_REF#refs/tags/}" ./dist/*

README.md

@@ -16,7 +16,7 @@ The naive PyTorch backend for the k-NN is enough to compute the MAP over words q
 
 You might want to use the Faiss backend if you compute the MAP over n-grams or if have a large number of
 embeddings. In this case, since Faiss is not available on PyPI, you can install this package in a pixi or conda
-environment. We recommand using pixi on Linux: clone this repository and run `pixi shell -e faiss-cpu` or
+environment. We recommend using pixi on Linux: clone this repository and run `pixi shell -e faiss-cpu` or
 `pixi shell -e faiss-gpu`.
 
 With conda, first install Faiss in your conda environment (be careful about your PyTorch and Faiss versions,