From 3f1b3b3b100c24c3f5e59e296ad046cdb0b0c082 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sun, 20 Aug 2023 13:16:00 +0300 Subject: [PATCH 1/7] Build & maybe upload PyPI package via trusted publishing --- .github/workflows/pypi-package.yml | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/pypi-package.yml diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml new file mode 100644 index 0000000..e482641 --- /dev/null +++ b/.github/workflows/pypi-package.yml @@ -0,0 +1,67 @@ +--- +name: Build & maybe upload PyPI package + +on: + push: + branches: [main] + tags: ["*"] + pull_request: + branches: [main] + release: + types: + - published + workflow_dispatch: + +permissions: + contents: read + id-token: write + +jobs: + # Always build & lint package. + build-package: + name: Build & verify package + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - uses: hynek/build-and-inspect-python-package@v1 + + # Upload to Test PyPI on every commit on main. + release-test-pypi: + name: Publish in-dev package to test.pypi.org + if: github.repository_owner == 'python' && github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: build-package + + steps: + - name: Download packages built by build-and-inspect-python-package + uses: actions/download-artifact@v3 + with: + name: Packages + path: dist + + - name: Upload package to Test PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + # Upload to real PyPI on GitHub Releases. + release-pypi: + name: Publish released package to pypi.org + environment: release-pypi + if: github.repository_owner == 'python' && github.event.action == 'published' + runs-on: ubuntu-latest + needs: build-package + + steps: + - name: Download packages built by build-and-inspect-python-package + uses: actions/download-artifact@v3 + with: + name: Packages + path: dist + + - name: Upload package to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 From 1e4b09e2a64d911088816c6fde937f10dabbf1a6 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Mon, 21 Aug 2023 08:29:20 +0300 Subject: [PATCH 2/7] Apply suggestions from code review Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- .github/workflows/pypi-package.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index e482641..6703e19 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -1,4 +1,3 @@ ---- name: Build & maybe upload PyPI package on: @@ -50,7 +49,7 @@ jobs: # Upload to real PyPI on GitHub Releases. release-pypi: - name: Publish released package to pypi.org + name: Publish to PyPI environment: release-pypi if: github.repository_owner == 'python' && github.event.action == 'published' runs-on: ubuntu-latest From a1740d85a91fd896c5f3e48fe48c7bdc42a81954 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Mon, 21 Aug 2023 08:51:56 +0300 Subject: [PATCH 3/7] Tighten permissions --- .github/workflows/pypi-package.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 6703e19..4b05fe6 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -13,7 +13,6 @@ on: permissions: contents: read - id-token: write jobs: # Always build & lint package. @@ -35,6 +34,9 @@ jobs: runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v3 @@ -55,6 +57,9 @@ jobs: runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v3 From 5c5e94d96fa3a328e7c004efe173b10489fbce1e Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Mon, 21 Aug 2023 08:59:06 +0300 Subject: [PATCH 4/7] Don't fetch all history --- .github/workflows/pypi-package.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 4b05fe6..4f6fd2b 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -22,8 +22,6 @@ jobs: steps: - uses: actions/checkout@v3 - with: - fetch-depth: 0 - uses: hynek/build-and-inspect-python-package@v1 From 6d82be0f1d0bb044105ccdf31b0b2a0871f2e8db Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Mon, 21 Aug 2023 17:39:34 +0300 Subject: [PATCH 5/7] Don't upload to TestPyPI --- .github/workflows/pypi-package.yml | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 4f6fd2b..926dacd 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -2,10 +2,9 @@ name: Build & maybe upload PyPI package on: push: - branches: [main] + branches: tags: ["*"] pull_request: - branches: [main] release: types: - published @@ -25,28 +24,6 @@ jobs: - uses: hynek/build-and-inspect-python-package@v1 - # Upload to Test PyPI on every commit on main. - release-test-pypi: - name: Publish in-dev package to test.pypi.org - if: github.repository_owner == 'python' && github.event_name == 'push' && github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - needs: build-package - - permissions: - id-token: write - - steps: - - name: Download packages built by build-and-inspect-python-package - uses: actions/download-artifact@v3 - with: - name: Packages - path: dist - - - name: Upload package to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://test.pypi.org/legacy/ - # Upload to real PyPI on GitHub Releases. release-pypi: name: Publish to PyPI From 719222f002b0642b3553a5515c1cf8bbf08903fb Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sat, 26 Aug 2023 11:49:22 +0300 Subject: [PATCH 6/7] Simplify action triggers --- .github/workflows/pypi-package.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 926dacd..c4913eb 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -2,8 +2,6 @@ name: Build & maybe upload PyPI package on: push: - branches: - tags: ["*"] pull_request: release: types: From f15aa6da50f62d10af02f6528deb0b703a95daf1 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sat, 26 Aug 2023 18:22:28 +0300 Subject: [PATCH 7/7] Comment when the release-pypi step is run --- .github/workflows/pypi-package.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index c4913eb..2b8f8aa 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -26,6 +26,7 @@ jobs: release-pypi: name: Publish to PyPI environment: release-pypi + # Only run for published releases. if: github.repository_owner == 'python' && github.event.action == 'published' runs-on: ubuntu-latest needs: build-package