From 7360c6c8c5e09e0bd619fa35bf39305a7fcc786e Mon Sep 17 00:00:00 2001 From: Bruno Alla Date: Wed, 11 Oct 2023 14:21:06 +0100 Subject: [PATCH] feat: use trusted publisher to publish to PyPI --- README.md | 6 +++--- copier.yml | 1 - project/.github/workflows/ci.yml | 15 +++++++++------ 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7a0670e7..193ff836 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,6 @@ A `labels` workflow will also run and synchronise the GitHub labels based on the The workflows need [a few secrets][gh-secrets] to be setup in your GitHub repository: -- `PYPI_TOKEN` to publish releases to [PyPI][pypi]. This one should be created as `release` environment secret. - `GH_PAT` a [personal access token (PAT) with the `repo` scope][create-pat] for opening pull requests and updating the repository topics. This is used by the `hacktoberfest` workflow. - `CODECOV_TOKEN` to upload coverage data to [codecov.io][codecov] in the Test workflow (optional for public repos). @@ -74,7 +73,8 @@ If you have the GitHub CLI installed and chose to set up GitHub, they will be cr ### Automated release -By following the conventional commits specification, we're able to completely automate versioning and releasing to PyPI. This is handled by the `semantic-release.yml` workflow. It is triggered manually by default, but can be configured to run on every push to your main branch. +By following the conventional commits specification, we're able to completely automate versioning and releasing to PyPI. It runs on every push to your main branch, as part of the `release` job of the `ci.yml` workflow. +You'll need to create the first version manually in PyPI and then setup [trusted publisher](https://docs.pypi.org/trusted-publishers/using-a-publisher/) for the project. Here is an overview of its features: @@ -87,7 +87,7 @@ Here is an overview of its features: - Push to GitHub. - Create a release in GitHub with the changes as release notes. - Build the source and binary distribution (wheel). -- Upload the sources to PyPI and attach them to the Github release. +- Upload the sources to PyPI and attach them to the Github release, using trusted publisher. For more details, check out the [conventional commits website][conventional-commits] and [Python semantic release][python-semantic-release] Github action. diff --git a/copier.yml b/copier.yml index 9b588bc7..f529e2fb 100644 --- a/copier.yml +++ b/copier.yml @@ -93,7 +93,6 @@ _tasks: # Setup GitHub - "{% if setup_github %}gh repo create {{ github_username }}/{{ project_slug }} -d '{{ project_short_description }}' --public --remote=origin --source=. --push{% endif %}" - "{% if setup_github %}gh repo edit --delete-branch-on-merge --enable-projects=false --enable-wiki=false{% endif %}" - - "{% if setup_github %}gh secret set PYPI_TOKEN -b 'changeme'{% endif %}" - "{% if setup_github %}gh secret set GH_PAT -b 'changeme'{% endif %}" # Setup pre-commit - "{% if setup_pre_commit %}pre-commit install{% endif %}" diff --git a/project/.github/workflows/ci.yml b/project/.github/workflows/ci.yml index 6932c8a5..3d2ded92 100644 --- a/project/.github/workflows/ci.yml +++ b/project/.github/workflows/ci.yml @@ -65,13 +65,18 @@ jobs: token: ${{ secrets.CODECOV_TOKEN }} release: - runs-on: ubuntu-latest - environment: release needs: - test - lint - commitlint + runs-on: ubuntu-latest + environment: release + concurrency: release + permissions: + id-token: write + contents: write + steps: - uses: actions/checkout@v4 with: @@ -80,14 +85,14 @@ jobs: # Do a dry run of PSR - name: Test release - uses: relekang/python-semantic-release@v8.1.1 + uses: python-semantic-release/python-semantic-release@v8.1.1 if: github.ref_name != 'main' with: root_options: --noop # On main branch: actual PSR + upload to PyPI & GitHub - name: Release - uses: relekang/python-semantic-release@v8.1.1 + uses: python-semantic-release/python-semantic-release@v8.1.1 id: release if: github.ref_name == 'main' with: @@ -96,8 +101,6 @@ jobs: - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@release/v1 if: steps.release.outputs.released == 'true' - with: - password: ${{ secrets.PYPI_TOKEN }} - name: Publish package distributions to GitHub Releases uses: python-semantic-release/upload-to-gh-release@main