Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up trusted publishing for making releases to PyPI #187

Merged
merged 3 commits into from
Apr 23, 2024
Merged

Set up trusted publishing for making releases to PyPI #187

merged 3 commits into from
Apr 23, 2024

Conversation

takluyver
Copy link
Member

@pradyunsg does this look OK? I've reconfigured PyPI to allow publishing from ci.yml, because I like the publish job to run only after the tests have passed, and that's easier if they're in the same file.

Closes #186.

pradyunsg
pradyunsg approved these changes Apr 22, 2024
View reviewed changes
Copy link
Member

@pradyunsg pradyunsg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@takluyver takluyver merged commit c667aeb into main Apr 23, 2024
41 checks passed
@takluyver takluyver deleted the gha-trusted-publish branch April 23, 2024 08:31
webknjaz
webknjaz reviewed Nov 21, 2024
View reviewed changes
.github/workflows/ci.yml
FLIT_PASSWORD: ${{ secrets.PYPI_TOKEN }}
- run: |
pip install build
python -m build
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@takluyver this bit is problematic — it's discouraged to build in the same job that has elevated privileges and is able to access OIDC.

I recommend splitting it out due to security concerns: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

webknjaz
webknjaz reviewed Nov 21, 2024
View reviewed changes
.github/workflows/ci.yml
@@ -46,16 +46,21 @@ jobs:
name: Publish release
runs-on: ubuntu-latest
needs: tests
environment: release
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend using pypi since it's a name of the deployment target. I also fixed the suggested name in Warehouse to match this recommendation a few weeks ago. Plus the PyPUG and GH docs use this too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz left review comments

@pradyunsg pradyunsg pradyunsg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setup trusted publishing
3 participants
@takluyver @webknjaz @pradyunsg