-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for trusted publishers. #73
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,12 @@ | ||
name: build | ||
name: CI | ||
|
||
on: [push, pull_request] | ||
|
||
env: | ||
PYTEST_ADDOPTS: "--color=yes" | ||
FORCE_COLOR: "1" # Make tools pretty. | ||
TOX_TESTENV_PASSENV: FORCE_COLOR | ||
PIP_DISABLE_PIP_VERSION_CHECK: "1" | ||
PIP_NO_PYTHON_VERSION_WARNING: "1" | ||
|
||
jobs: | ||
test: | ||
|
@@ -101,35 +104,36 @@ jobs: | |
- name: Run linters | ||
run: poetry run invoke lint | ||
|
||
|
||
deploy: | ||
name: Deploy | ||
prep-release: | ||
name: Release preparations | ||
environment: Deployment | ||
needs: [test, lint] | ||
runs-on: ubuntu-latest | ||
if: ${{ github.ref=='refs/heads/main' && github.event_name!='pull_request' }} | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: actions/checkout@v3 | ||
- name: Setup Python | ||
uses: actions/setup-python@v2 | ||
uses: actions/setup-python@v4 | ||
with: | ||
python-version: "3.8" | ||
- name: Check release | ||
id: check_release | ||
run: | | ||
python -m pip install --upgrade pip | ||
python -m pip install poetry githubrelease httpx==0.16.1 autopub | ||
echo "##[set-output name=release;]$(autopub check)" | ||
- name: Publish | ||
python -m pip install poetry autopub[github] | ||
echo "release=$(autopub check)" >> "$GITHUB_OUTPUT" | ||
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | ||
echo "release<<$EOF" >> "$GITHUB_OUTPUT" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The intention was always for AutoPub to internally handle as much of the machinery as possible, so I agree that AutoPub should be enhanced to obviate the need to handle this in GitHub Actions. 👍 |
||
autopub check >> "$GITHUB_OUTPUT" | ||
echo "$EOF" >> "$GITHUB_OUTPUT" | ||
- name: Tag & Create GH release | ||
if: ${{ steps.check_release.outputs.release=='' }} | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | ||
PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} | ||
run: | | ||
git remote set-url origin https://$GITHUB_TOKEN@github.com/${{ github.repository }} | ||
autopub prepare | ||
poetry build | ||
autopub build | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I had to set the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm. That's odd. Even without adding an explicit key+value for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess I have some cleanups for it there: autopub/autopub#38 -- |
||
autopub commit | ||
autopub githubrelease | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't like that the githubrelease upload has the packages from There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed — this seems like a more sensible approach. 👍 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Arg, the tags are not created by There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The tag is created as part of the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mhm the state could be the tag (?) of the current commit? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In an effort to find a more efficient place for us to discuss this topic, I created an AutoPub issue along with a proposal. What do you think? autopub/autopub#39 |
||
poetry publish -u __token__ -p $PYPI_PASSWORD |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
name: Build & upload PyPI package | ||
|
||
on: | ||
release: | ||
types: | ||
- published | ||
|
||
jobs: | ||
build-package: | ||
name: Build & verify package | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- uses: hynek/build-and-inspect-python-package@v1 | ||
|
||
release-pypi: | ||
name: Publish released package to pypi.org | ||
environment: release-pypi # TODO: how to name the env | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe also There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
if: github.event.action == 'published' | ||
runs-on: ubuntu-latest | ||
needs: build-package | ||
permissions: | ||
id-token: write | ||
|
||
steps: | ||
- name: Download packages built by build-and-inspect-python-package | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: Packages | ||
path: dist | ||
|
||
- name: Upload package to PyPI | ||
uses: pypa/gh-action-pypi-publish@release/v1 | ||
with: | ||
repository-url: https://test.pypi.org/legacy/ # TODO: Move over to actual PyPI |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,12 +20,6 @@ classifiers = [ | |
"Intended Audience :: Developers", | ||
"License :: OSI Approved :: BSD License", | ||
"Operating System :: OS Independent", | ||
"Programming Language :: Python :: 3", | ||
"Programming Language :: Python :: 3.7", | ||
"Programming Language :: Python :: 3.8", | ||
"Programming Language :: Python :: 3.9", | ||
"Programming Language :: Python :: 3.10", | ||
"Programming Language :: Python :: 3.11", | ||
"Topic :: Security", | ||
"Topic :: Security :: Cryptography", | ||
"Topic :: Software Development :: Libraries :: Python Modules", | ||
|
@@ -60,6 +54,7 @@ Werkzeug = "^2.0" | |
|
||
[tool.autopub] | ||
project-name = "Kagi" | ||
build-system = "poetry" | ||
git-username = "botpub" | ||
git-email = "botpub@autopub.rocks" | ||
append-github-contributor = true | ||
|
@@ -92,3 +87,6 @@ DJANGO_SETTINGS_MODULE = 'testproj.settings' | |
[tool.flake8] | ||
ignore = ['E203', 'E501', 'W503'] | ||
max-line-length = 88 | ||
|
||
[tool.check-wheel-contents] | ||
ignore = ['W004'] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Required because Django migrations are not valid module names. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume the
github
extra works just fine?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I believe the
github
extra should work fine. There was a point at which I pinnedhttpx
in order to work around an issue withgithubrelease
, but I imagine that has since been resolved. I'd rather take the approach you have here and then re-pinhttpx
if and when needed. 👍