Publish to TestPyPi on PR and release

[i-oden]

Before submitting the PR

• Fill in and tick fields
• Remove all rows that are not relevant for the current PR
  • Revelant option missing? Add it as an item and add a PR comment informing that the new option should be included into this template.

All relevant items should be ticked before the PR is merged

Description

• Summary of the changes and the related issue:

In order to debug and prevent potential issues during releases, we should also 1. publish the CLI to TestPyPi on pr to dev and on release before real publishing, 2. make sure that the hashes are correct. Possible that we also should recommend verifying the hashes after installation.

The print_hash: true part in tells the action to show the hashes of what will be published. Easily verified manually by checking on PyPi. If something happens though and there's an error, the publishing will not occur.

• Fixes an issue in GitHub / Jira:
  • Yes: DDS-1443 and DDS-1415

Type of change

• Workflow

Checklist:

General

• Changelog: New row added. Not needed when PR includes only tests.

Repository / Releases

• Rebase / update of branch done

Checks

• CodeQL passes
• Formatting: Black & Prettier checks pass
• Tests
  • The tests pass
• Trivy:
  • There are no new security alerts

[codecov]

Codecov Report

Merging #592 (12b803a) into dev (8931db6) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##              dev     #592   +/-   ##
=======================================
  Coverage   46.68%   46.68%           
=======================================
  Files          31       31           
  Lines        2787     2787           
=======================================
  Hits         1301     1301           
  Misses       1486     1486           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[valyo]

Looks good.
I don't completely understand the hashes part but you can probably explain it to me additionally

[i-oden]

Looks good. I don't completely understand the hashes part but you can probably explain it to me additionally

Before publishing to PyPi the action generates a checksum. These hashes are then available on PyPi, in the "Download" section, in case someone wants to verify them. This "print_hashes" part basically just prints these hashes out here on GitHub so that we could technically check that these hashes are identical to the ones on PyPi and we could possibly add this information to the documentation somehow (not sure though), to recommend that all users verify the integrity of the package. As a precaution and threat mitigation.