Merge pull request #88 from QuantStack/updateReleaseInfo

Update release information

Author: DenisaCG

RELEASE.md

@@ -58,23 +58,54 @@ npm publish --access public
 
 ## Automated releases with the Jupyter Releaser
 
-The extension repository should already be compatible with the Jupyter Releaser. But
-the GitHub repository and the package managers need to be properly set up. Please
-follow the instructions of the Jupyter Releaser [checklist](https://jupyter-releaser.readthedocs.io/en/latest/how_to_guides/convert_repo_from_repo.html).
+The extension repository should already be compatible with the Jupyter Releaser.
+
+Check out the [workflow documentation](https://jupyter-releaser.readthedocs.io/en/latest/get_started/making_release_from_repo.html) for more information.
 
 Here is a summary of the steps to cut a new release:
 
+- Add tokens to the [Github Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in the repository:
+  - `ADMIN_GITHUB_TOKEN` (with "public_repo" and "repo:status" permissions); see the [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+  - `NPM_TOKEN` (with "automation" permission); see the [documentation](https://docs.npmjs.com/creating-and-viewing-access-tokens)
+- Set up PyPI
+
+<details><summary>Using PyPI trusted publisher (modern way)</summary>
+
+- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
+  - The _workflow name_ is `publish-release.yml` and the _environment_ should be left blank.
+- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
+
+</details>
+
+<details><summary>Using PyPI token (legacy way)</summary>
+
+- If the repo generates PyPI release(s), create a scoped PyPI [token](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github). We recommend using a scoped token for security reasons.
+
+- You can store the token as `PYPI_TOKEN` in your fork's `Secrets`.
+
+  - Advanced usage: if you are releasing multiple repos, you can create a secret named `PYPI_TOKEN_MAP` instead of `PYPI_TOKEN` that is formatted as follows:
+
+    ```text
+    owner1/repo1,token1
+    owner2/repo2,token2
+    ```
+
+    If you have multiple Python packages in the same repository, you can point to them as follows:
+
+    ```text
+    owner1/repo1/path/to/package1,token1
+    owner1/repo1/path/to/package2,token2
+    ```
+
+</details>
+
 - Go to the Actions panel
 - Run the "Step 1: Prep Release" workflow
 - Check the draft changelog
 - Run the "Step 2: Publish Release" workflow
 
-> [!NOTE]
-> Check out the [workflow documentation](https://jupyter-releaser.readthedocs.io/en/latest/get_started/making_release_from_repo.html)
-> for more information.
-
 ## Publishing to `conda-forge`
 
 If the package is not on conda forge yet, check the documentation to learn how to add it: https://conda-forge.org/docs/maintainer/adding_pkgs.html
 
-Otherwise a bot should pick up the new version publish to PyPI, and open a new PR on the feedstock repository automatically.
+Otherwise a bot should pick up the new version publish to PyPI, and open a new PR on the feedstock repository automatically.