Add release instructions

doc/contributing.md

@@ -191,4 +191,81 @@ PyRIT test files can be run using `pytest`.
 
 ## Releasing PyRIT to PyPI
 
-TODO
+This section is for maintainers only.
+If you don't know who the maintainers are but you need to reach them
+please file an issue or (if it needs to remain private) contact the
+email address listed in pyproject.toml
+
+First, decide what the next release version is going to be.
+We follow semantic versioning for Python projects; see
+https://semver.org/ for more details.
+Below, we refer to the version as `x.y.z`.
+`x` is the major version, `y` the minor version, and `z` the patch version.
+Every Python project starts at `0.1.0`.
+Patches such as bugfixes without breaking changes increase the patch version.
+Importantly, they are backward compatible, so upgrading from `0.1.0` to
+`0.1.1` (or higher ones like `0.1.38`) should not break your code.
+More significant changes, such as major features, require at least a new
+minor version.
+They should still be backwards compatible, so if you're upgrading from
+`1.1.0` to `1.2.0` your code shouldn't break.
+The major version `1.0.0` is the first "stable" release.
+Anything before (i.e., leading with major version `0`) indicates that it is
+not stable and anything may change at any time.
+For that reason, the minor version may indicate breaking changes, too,
+at least until we hit major version `1`.
+
+With that in mind, the reason for the release and the set of changes
+that happened since the last release will influence the new version number.
+
+Make sure the version data in pyproject.toml is set correctly.
+Keep that version in sync with `__init__.py` which is usually set to
+the next planned version with suffix `.dev0`.
+This makes it easier to distinguish versions when someone submits a bug
+as we will be able to tell if it's a release version or dev version.
+For the release branch, we have to remove this suffix.
+
+Before running the following command replace all "local" links like
+"./doc/README.md" with links that will work from any website, i.e.,
+"https://github.com/Azure/PyRIT/blob/releases/vx.y.z/doc/README.md".
+For images, the past releases didn't succeed in getting them to render.
+For the next release, let's try and modify the image links to the "raw"
+link, e.g.,
+"https://raw.githubusercontent.com/Azure/PyRIT/releases/vx.y.z/assets/pyrit_architecture.png".
+This is required for the release branch because PyPI does not pick up
+other files besides the README, which results in local links breaking.
+
+Commit your changes and push them to the repository on a branch called
+`releases/vx.y.z`, then run
+
+```bash
+git tag -a vx.y.z -m "vx.y.z release"
+git push --tags
+```
+
+To build the package wheel and archive for PyPI run
+
+```bash
+python -m build
+```
+
+This should print
+
+> Successfully built pyrit-x.y.z.tar.gz and pyrit-x.y.z-py3-none-any.whl
+
+Create an account on pypi.org if you don't have one yet.
+Ask one of the other maintainers to add you to the `pyrit` project on PyPI.
+
+```bash
+pip install twine
+twine upload dist/*
+```
+
+If successful, it will print
+
+> View at:
+  https://pypi.org/project/pyrit/x.y.z/
+
+Finally, make sure to create a PR for the `main` branch where the only change
+is the version increase in `__init__.py` (while keeping suffix `.dev0`).
+This should be something like `x.y.z+1.dev0`.