chore: switch to use publish-to-bcr workflow

Author: rickeylev

.github/workflows/publish.yml

@@ -0,0 +1,35 @@
+# See https://github.com/bazel-contrib/publish-to-bcr
+name: Publish to BCR
+
+on:
+  # Run the publish workflow after a successful release
+  # Can be triggered from the release.yaml workflow
+  workflow_call:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+    secrets:
+      BCR_PUBLISH_TOKEN:
+        required: true
+  # In case of problems, let release engineers retry by manually dispatching
+  # the workflow from the GitHub UI
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+
+jobs:
+  publish:
+    uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.0.0
+    with:
+      draft: false
+      tag_name: ${{ inputs.tag_name }}
+      # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
+      registry_fork: bazel-contrib/bazel-central-registry
+      attest: false
+    permissions:
+      contents: write
+    secrets:
+      publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release.yml

@@ -35,15 +35,7 @@ jobs:
         uses: actions/checkout@v5
       - name: Create release archive and notes
         run: .github/workflows/create_archive_and_notes.sh
-      - name: Publish wheel dist
-        if: github.event_name == 'push' || github.event.inputs.publish_to_pypi
-        env:
-          # This special value tells pypi that the user identity is supplied within the token
-          TWINE_USERNAME: __token__
-          # Note, the PYPI_API_TOKEN is for the rules-python pypi user, added by @rickylev on
-          # https://github.com/bazel-contrib/rules_python/settings/secrets/actions
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: bazel run --stamp --embed_label=${{ github.ref_name }} //python/runfiles:wheel.publish
+  release:
       - name: Release
         uses: softprops/action-gh-release@v2
         with:
@@ -53,3 +45,19 @@ jobs:
           prerelease: ${{ contains(github.ref, '-rc') }}
           fail_on_unmatched_files: true
           files: rules_python-*.tar.gz
+      - name: Publish runfiles to PyPI
+        if: github.event_name == 'push' || github.event.inputs.publish_to_pypi
+        env:
+          # This special value tells pypi that the user identity is supplied within the token
+          TWINE_USERNAME: __token__
+          # Note, the PYPI_API_TOKEN is for the rules-python pypi user, added by @rickylev on
+          # https://github.com/bazel-contrib/rules_python/settings/secrets/actions
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: bazel run --stamp --embed_label=${{ github.ref_name }} //python/runfiles:wheel.publish
+  publish_bcr:
+    needs: build
+    uses: .github/workflows/publish.yaml
+    with:
+      tag_name: ${{ github.ref_name }}
+    secrets:
+      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}