Skip to content

[sept 17 merge] review: trusted publishing tutorial #561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Sep 17, 2025
+154 −174
Merged

[sept 17 merge] review: trusted publishing tutorial #561

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
722c854
review: trusted publishing tutorial
lwasser Jul 22, 2025
d74838e
Apply suggestions from code review
lwasser Sep 15, 2025
920d3b6
Apply suggestions from code review
lwasser Sep 16, 2025
29013ee
docs(review): updates from review
lwasser Sep 16, 2025
10ef74c
chore(deps): Update dependabot configuration for GitHub Actions (#577)
lwasser Sep 16, 2025
04aff13
chore: bump the actions group (#579)
dependabot[bot] Sep 16, 2025
d7e8774
Fix: includes
lwasser Sep 16, 2025
f1f92bc
feat: literal includes for the action
lwasser Sep 16, 2025
c9abedd
docs: fix workflow
lwasser Sep 17, 2025
7429c12
chore: fix errors from docs-test
lwasser Sep 17, 2025
cfe7167
Merge branch 'main' into tutorial-trusted-publishing
lwasser Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions examples/pure-hatch/.github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,15 @@ jobs:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Set up Hatch
uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: "3.12" # Select the version that you want to build your package on
- name: Upgrade pip, install Hatch, and check Hatch version
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that we have to install hatch manually here as i can't find a hatch specific action.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For model-transparency for model-signing (which I started by following the pyOpenSci guides) we use the following
https://github.com/sigstore/model-transparency/blob/542d0db04c76d05063940488e5f25697731dfab7/.github/workflows/unit_tests.yml#L42-L43

But I just discovered that this always installs the latest hatch, despite pinning, so we'd need to look deeper into this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mihaimaruseac I wonder if perhaps that just installs Hatch from GitHub?? That is so curious. I believe you that it works, but Dependabot doesn't recognize it as an action, and we couldn't find the action. Maybe there is just some default behavior that we don't know about (or at least I don't know about it!!)

This is such a great tutorial. Thank you again for your work on it. ✨ And my apologies that it took so long for me to get to it.

Copy link
Contributor

@mihaimaruseac mihaimaruseac Sep 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is very likely. I'll debug this when I get some time and suggest an edit if needed

Thnak you very much for shepherding this with the final edits! Looking forward for more contributions

run: |
pip install --upgrade pip
pip install --upgrade hatch
hatch --version # Verify that Hatch is installed
- name: Build artifacts
run: hatch build
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
Expand Down
Binary file added images/trusted-publisher-pypi-github.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/trusted-publisher-pypi-github.webp
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 3 additions & 3 deletions tutorials/pyproject-toml.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ The classifier key should look something like the example below. A few notes:
- Your classifier values might be different depending upon your intended audience, development status of your package and the Python versions that you support
- You can add as many classifiers as you wish as long as you use the [designated PyPI classifier values](https://PyPI.org/classifiers/).

{emphasize-lines="26-34"}
{emphasize-lines="26-33"}
```toml
[build-system]
requires = ["hatchling"]
Expand Down Expand Up @@ -514,10 +514,10 @@ Finally, add the project.urls table to your pyproject.toml file.
`project.urls` contains links that are relevant for your project. You might want to include:

- **Homepage:** A link to your published documentation for your project. If you are working through this tutorial, then you may not have this link yet. That's ok, you can skip it for the time being.
- **Bug reports:** a link to your issues / discussions or wherever you want users to report bugs.
- **Bug reports:** a link to your issues/discussions or wherever you want users to report bugs.
- **Source:** the GitHub / GitLab link for your project.

{emphasize-lines="36-39"}
{emphasize-lines="35-38"}
```toml
[build-system]
requires = ["hatchling"]
Expand Down
Loading
Loading