Skip to content

feat(ci): add PyPI publish workflow#14

Merged
joeVenner merged 7 commits into
mainfrom
feat/pypi-publish-workflow
Apr 22, 2026
Merged

feat(ci): add PyPI publish workflow#14
joeVenner merged 7 commits into
mainfrom
feat/pypi-publish-workflow

Conversation

@joeVenner
Copy link
Copy Markdown
Contributor

@joeVenner joeVenner commented Apr 22, 2026
edited
Loading

Summary

Adds an automated PyPI publish workflow using Trusted Publishing (OIDC) — no long-lived API tokens required.

How It Works

  1. Push a version tag: `git tag v0.10.0 && git push origin v0.10.0`
  2. GitHub Actions builds a wheel + sdist
  3. Authenticates to PyPI via OIDC (short-lived token)
  4. Publishes to PyPI

Setup Required (repo admin)

1. GitHub Environment

  1. Go to `https://github.com/fomyio/iotcli/settings/environments\`
  2. Create environment named `pypi`
  3. Add yourself as a required reviewer (enables approval gate)

2. PyPI Trusted Publisher

  1. Go to https://pypi.org/manage/project/iotcli/settings/publishing/
    (create the project first at https://pypi.org/manage/projects/ if it doesn't exist)
  2. Add a new GitHub trusted publisher:
    • Owner: `fomyio`
    • Repository: `iotcli`
    • Workflow name: `publish.yml`
    • Environment name: `pypi`

No API token secret is needed. OIDC handles authentication automatically.

3. Tag Protection (recommended)

Create a GitHub Ruleset restricting `v*` tag creation to admins so only owners can trigger releases.

Security

  • Trusted Publishing — no secrets stored in GitHub
  • Environment approval — workflow pauses for manual approval before publishing
  • Tag protection — only admins can push version tags
  • Pinned action SHA — `pypa/gh-action-pypi-publish` pinned to a specific commit

🤖 Generated with Claude Code

@joeVenner
docs(readme): overhaul with badges, demo, architecture; add privacy p…
d438da7 
…olicy

- Centered tagline + 6 shields (PyPI, Python, CI, Coverage, License, Privacy)
- Add "What is iotcli?" section with key principles
- Add Demo section with list/status/JSON examples
- Add Architecture overview with directory tree
- Expand AI Agent Integration with clearer MCP/skill/workflow sections
- Add PRIVACY.md: local-only data, Fernet encryption, no telemetry
- Fix duplicate device lookup line in control.py (post-merge artifact)
@joeVenner
feat(ci): add PyPI publish workflow
166eef2
@github-actions github-actions Bot added enhancement New feature or request size: L < 500 lines changed documentation Improvements or additions to documentation area: cli CLI commands ci/cd CI/CD pipeline changes and removed size: L < 500 lines changed labels Apr 22, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 22, 2026
edited
Loading

Greptile Summary

This PR adds a GitHub Actions workflow (.github/workflows/publish.yml) to automate publishing iotcli to PyPI using OIDC Trusted Publishing — no long-lived API tokens required. The workflow triggers on v* tags, extracts the version from the tag name to patch pyproject.toml, builds a wheel + sdist, and publishes via pypa/gh-action-pypi-publish.

Key changes:

  • New publish workflow using PyPI Trusted Publishing (OIDC), scoped to a pypi GitHub Environment for manual approval gating
  • Version is now dynamically extracted from the pushed git tag via sed before building, resolving the static 0.10.0 issue raised in prior review
  • pypa/gh-action-pypi-publish is pinned to a full commit SHA (cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0) rather than a mutable branch
  • The github.actor guard and hardcoded API token path have been removed in favour of proper Trusted Publishing

Remaining concern:

  • actions/checkout@v4 and actions/setup-python@v5 are still mutable tags. In a publish workflow the checkout and Python setup steps execute code that directly affects what ends up in the published package, so they warrant the same SHA-pinning treatment as the publish action itself.

Confidence Score: 4/5

Safe to merge with one non-blocking follow-up: pin actions/checkout and actions/setup-python to full SHAs for consistency with the workflow's stated security posture.

All previously raised concerns (mutable pypa action tag, static hardcoded version, actor guard bypass, mismatched Trusted Publishing setup) have been addressed in this revision. The only remaining gap is that actions/checkout@v4 and actions/setup-python@v5 use mutable version tags rather than commit SHAs — a moderate supply-chain concern in a publish workflow, but not blocking given the environment approval gate already in place.

.github/workflows/publish.ymlactions/checkout and actions/setup-python should be pinned to full commit SHAs.

Important Files Changed
Filename Overview
.github/workflows/publish.yml Adds a PyPI Trusted Publishing workflow triggered on v* tags. Previous issues (mutable pypa action tag, static version, actor guard) have been resolved. Minor remaining concern: actions/checkout@v4 and actions/setup-python@v5 are still mutable tags.

Sequence Diagram

 
sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Env as pypi Environment
    participant PyPI as PyPI (OIDC)

    Dev->>GH: git push tag v*
    GH->>GH: Trigger publish workflow
    GH->>Env: Request environment approval
    Env-->>GH: Approved by reviewer
    GH->>GH: actions/checkout
    GH->>GH: sed version from tag into pyproject.toml
    GH->>GH: actions/setup-python
    GH->>GH: pip install build
    GH->>GH: python -m build (wheel + sdist)
    GH->>PyPI: pypa/gh-action-pypi-publish (OIDC token exchange)
    PyPI-->>GH: Publish confirmed
Loading

Reviews (6): Last reviewed commit: "fix(ci): remove hardcoded actor guard — ..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml Outdated
Comment thread .github/workflows/publish.yml
@github-actions github-actions Bot added size: L < 500 lines changed and removed documentation Improvements or additions to documentation ci/cd CI/CD pipeline changes labels Apr 22, 2026
@joeVenner joeVenner self-assigned this Apr 22, 2026
@joeVenner
Copy link
Copy Markdown
Contributor Author

joeVenner commented Apr 22, 2026

@greptile review

@github-actions github-actions Bot added size: S < 50 lines changed ci/cd CI/CD pipeline changes size: L < 500 lines changed and removed size: L < 500 lines changed area: cli CLI commands labels Apr 22, 2026
@github-actions github-actions Bot removed ci/cd CI/CD pipeline changes size: L < 500 lines changed labels Apr 22, 2026
@joeVenner
Copy link
Copy Markdown
Contributor Author

joeVenner commented Apr 22, 2026

@greptile review

greptile-apps[bot]
greptile-apps Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml
@github-actions github-actions Bot added the ci/cd CI/CD pipeline changes label Apr 22, 2026
@joeVenner
Copy link
Copy Markdown
Contributor Author

joeVenner commented Apr 22, 2026

@greptile review

greptile-apps[bot]
greptile-apps Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml Outdated
@github-actions github-actions Bot added ci/cd CI/CD pipeline changes and removed ci/cd CI/CD pipeline changes labels Apr 22, 2026
@joeVenner
Copy link
Copy Markdown
Contributor Author

joeVenner commented Apr 22, 2026

@greptile review

greptile-apps[bot]
greptile-apps Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml
@github-actions github-actions Bot removed the ci/cd CI/CD pipeline changes label Apr 22, 2026
@joeVenner
Copy link
Copy Markdown
Contributor Author

joeVenner commented Apr 22, 2026

@greptile review

@joeVenner joeVenner merged commit 8fe3fa6 into main Apr 22, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@joeVenner joeVenner

Labels

enhancement New feature or request size: S < 50 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joeVenner