Okay this is it.

.github/workflows/publish.yaml

@@ -0,0 +1,105 @@
+name: Publish
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hash: ${{ steps.hash.outputs.hash }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+        # Cache the installation of Poetry itself, e.g. the next step. This prevents the workflow
+        # from installing Poetry every time, which can be slow. Note the use of the Poetry version
+        # number in the cache key, and the "-0" suffix: this allows you to invalidate the cache
+        # manually if/when you want to upgrade Poetry, or if something goes wrong. This could be
+        # mildly cleaner by using an environment variable, but I don't really care.
+      - name: cache poetry install
+        uses: actions/cache@v4
+        with:
+          path: ~/.local
+          key: poetry-1.8.3-0
+
+        # Install Poetry. You could do this manually, or there are several actions that do this.
+        # `snok/install-poetry` seems to be minimal yet complete, and really just calls out to
+        # Poetry's default install script, which feels correct. I pin the Poetry version here
+        # because Poetry does occasionally change APIs between versions and I don't want my
+        # actions to break if it does.
+        #
+        # The key configuration value here is `virtualenvs-in-project: true`: this creates the
+        # venv as a `.venv` in your testing directory, which allows the next step to easily
+        # cache it.
+      - uses: snok/[email protected]
+        with:
+          version: 1.8.3
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+        # Cache your dependencies (i.e. all the stuff in your `pyproject.toml`). Note the cache
+        # key: if you're using multiple Python versions, or multiple OSes, you'd need to include
+        # them in the cache key. I'm not, so it can be simple and just depend on the poetry.lock.
+      - name: cache deps
+        id: cache-deps
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: pydeps-${{ hashFiles('**/poetry.lock') }}
+
+        # Install dependencies. `--no-root` means "install all dependencies but not the project
+        # itself", which is what you want to avoid caching _your_ code. The `if` statement
+        # ensures this only runs on a cache miss.
+      - run: poetry install --no-interaction --no-root
+        if: steps.cache-deps.outputs.cache-hit != 'true'
+      - run: poetry install --no-interaction
+      - run: poetry build
+      - name: generate hash
+        id: hash
+        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@v4
+        with:
+          path: ./dist
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write\
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: ${{ needs.build.outputs.hash }}
+  create-release:
+    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
+    # available as build artifacts for a while as well.
+    needs: [provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@v4
+      - name: create release
+        run: >
+          gh release create --draft --repo ${{ github.repository }}
+          ${{ github.ref_name }}
+          *.intoto.jsonl/* artifact/*
+        env:
+          GH_TOKEN: ${{ github.token }}
+  publish-pypi:
+    needs: [provenance]
+    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
+    # files in the draft release.
+    environment:
+      name: publish
+      url: https://pypi.org/project/assists/${{ github.ref_name }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: artifact/

README.md

@@ -12,10 +12,18 @@
 
 ## Installation
 
+Using pipx:
+
+```console
+pipx install assists
+```
+
+Using pip:
+
 ```console
 pip install assists
 ```
 
 ## License
 
-`assists` is distributed under the terms of the [Apache](https://spdx.org/licenses/MIT.html) license.
+`assists` is distributed under the terms of the [Apache](https://github.com/phillipsj/assists/blob/main/LICENSE.txt) license.

pyproject.toml

@@ -1,11 +1,13 @@
 [build-system]
-requires = ["poetry-core"]
-build-backend = "poetry.core.masonry.api"
+requires = ["poetry-core>=1.0.0", "poetry-dynamic-versioning>=1.0.0,<2.0.0"]
+build-backend = "poetry_dynamic_versioning.backend"
 
 [tool.poetry]
 name = "assists"
 version = "0.0.0"
 description = "A collection of DevOps and SRE related tools."
+homepage = "https://github.com/phillipsj/assists"
+repository = "https://github.com/phillipsj/assists"
 documentation = "https://github.com/phillipsj/assists/blob/main/DOCS.md"
 readme = "README.md"
 license = "Apache 2.0"
@@ -83,3 +85,7 @@ lint = "pre-commit run --all-files"
 test = "pytest -v --cov  --cov-report=html"
 docs = "typer assists.main utils docs --output DOCS.md --name ast"
 ci   = "task lint && task test"
+
+[tool.poetry-dynamic-versioning]
+enable = true
+vcs = "git"

src/assists/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.0.0"