Conversation
There was a problem hiding this comment.
Pull request overview
Enables automated publishing of the Python package to PyPI as part of the existing Release GitHub Actions workflow that runs on pushes to main.
Changes:
- Adds a new “Publish to PyPI” step that installs
uv, builds distributions, and publishes them using a PyPI token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Publish to PyPI | ||
| run: | | ||
| pip install uv | ||
| uv build | ||
| uv publish |
There was a problem hiding this comment.
This publish step will run on every push to main (the workflow trigger), even when semantic-release version/publish determines there is no new release. In that case uv publish is likely to fail trying to upload a version that already exists on PyPI, breaking the release workflow. Gate this step so it only runs when a new version/tag was created (e.g., detect a version change or newly-created tag from the semantic-release version step and add an if: condition here).
| env: | ||
| UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }} |
There was a problem hiding this comment.
Publishing via a long-lived PYPI_TOKEN secret increases blast radius if the token is ever leaked/over-permissioned. If PyPI Trusted Publishing is available for this project, consider switching to OIDC-based publishing (and adding permissions: id-token: write) to avoid storing a PyPI API token in GitHub secrets.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
No description provided.