Securely build and upload Python distributions to PyPI.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: casperdcl/deploy-pypi@v2
with:
build: --sdist --wheel --outdir dist .
# only upload if a tag is pushed (otherwise just build & check)
upload: ${{ github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') }}PyPI Deployment:
- Supports
building- supports customisable build requirements
- supports customisable build command
- supports PEP517 projects lacking a
setup.pyfile
- Supports GPG signing
- Each stage is optional (
build,check,signandupload) - Uses a blazing fast native GitHub composite action
- Outputs names of files for upload (for convenience in subsequent steps)
- Has the entirety of the code in a single file, making it very easy to review
- If you are extremely security conscious you can use a commit SHA of a version you've manually reviewed (e.g.
uses: casperdcl/deploy-pypi@3181cc0919c032ba42e365bd514e27442c54a3be)
- If you are extremely security conscious you can use a commit SHA of a version you've manually reviewed (e.g.
The main alternative GitHub Action pypi-publish currently does not offer the benefits above.
Other features (supported by both) include:
- Supports checking built files
- Supports skipping existing uploads
- Supports OIDC PyPI trusted publishing
You likely should specify exactly one of the following: setup, build or pip.
inputs:
user:
description: PyPI username
default: __token__
password:
description: PyPI password or API token
required: false
registry_domain:
description: PyPI trusted publisher URL
required: false
default: https://upload.pypi.org
requirements:
description: Packages to `pip install` before building
default: twine wheel build
setup:
description: '`setup.py` command to run ("true" is a shortcut for "clean sdist -d <dist_dir> bdist_wheel -d <dist_dir>")'
default: false
build:
description: '`python -m build` command to run ("true" is a shortcut for "-o <dist_dir>")'
default: false
pip:
description: '`pip` command to run ("true" is a shortcut for "wheel -w <dist_dir> --no-deps .")'
default: false
check:
description: Whether to run basic checks on the built files
default: true
upload:
description: Whether to upload
default: true
dist_dir:
description: Directory containing distributions
default: dist
url:
description: Destination repository (package index) URL
default: ''
gpg_key:
description: GPG key to import for signing
default: ''
skip_existing:
description: Continue uploading files if one already exists
default: false
outputs:
whl:
description: Basename of *.whl for upload
targz:
description: Basename of *.tar.gz for upload
whl_asc:
description: Basename of *.whl.asc for upload (requires <gpg_key>)
targz_asc:
description: Basename of *.tar.gz.asc for upload (requires <gpg_key>)