MRG: Merge pull request #110 from octue/use-trusted-publisher-for-pypi

Use trusted publisher for PyPi

.github/workflows/python-ci.yml

@@ -1,12 +1,12 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions.
-#
-# On successful test, the package will be published. For candidate releases, the package will be
-#  published to test.pypi.org server (to ensure the process works). For merges to master, the
-#  package will be published live.
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions. On successful
+# test, the package will be published to the test PyPi server.
 
 name: python-ci
 
-on: [push]
+on:
+  push:
+    branches-ignore:
+      - main
 
 jobs:
   check-semantic-version:
@@ -54,6 +54,9 @@ jobs:
     if: "!contains(github.event.head_commit.message, 'skipci')"
     runs-on: ubuntu-latest
     needs: [check-semantic-version, run-tests]
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
@@ -69,17 +72,8 @@ jobs:
           python3 setup.py sdist bdist_wheel
 
       - name: Test package is publishable with PyPI test server
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@v1.8.10
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
-          skip_existing: true
-
-      - name: Publish latest package to PyPI
-        if: contains(github.ref, 'main')
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
           verbose: true

.github/workflows/release.yml

@@ -1,30 +1,83 @@
 name: Release the package on merge into main
 
-# Only trigger when a pull request into main branch is closed.
+# This workflow will only be triggered when a pull request into main branch is merged (and not closed without merging).
 on:
   pull_request:
     types: [closed]
     branches:
       - main
 
 jobs:
+  run-tests:
+    if: "github.event.pull_request.merged == true"
+    runs-on: ubuntu-latest
+    env:
+      USING_COVERAGE: '3.8'
+    strategy:
+      matrix:
+        python: [ 3.8 ]
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Setup Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Install tox
+        run: pip install tox
+
+      - name: Run tests
+        run: tox
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          files: coverage.xml
+          fail_ci_if_error: true
+
   release:
-    # This job will only run if the PR has been merged (and not closed without merging).
-    if: "github.event.pull_request.merged == true && !contains(github.event.pull_request.head.message, 'skipci')"
+    needs: run-tests
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-
-    - name: Get package version
-      run: echo "PACKAGE_VERSION=$(python setup.py --version)" >> $GITHUB_ENV
-
-    - name: Create Release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, no need to create your own.
-      with:
-        tag_name: ${{ env.PACKAGE_VERSION }}
-        release_name: ${{ github.event.pull_request.title }}
-        body: ${{ github.event.pull_request.body }}
-        draft: false
-        prerelease: false
+      - uses: actions/checkout@v3
+
+      - name: Get package version
+        run: echo "PACKAGE_VERSION=$(python setup.py --version)" >> $GITHUB_ENV
+
+      - name: Create Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, no need to create your own.
+        with:
+          tag_name: ${{ env.PACKAGE_VERSION }}
+          release_name: ${{ github.event.pull_request.title }}
+          body: ${{ github.event.pull_request.body }}
+          draft: false
+          prerelease: false
+
+  publish:
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Make package
+        run: |
+          python3 -m pip install --upgrade setuptools wheel
+          python3 setup.py sdist bdist_wheel
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/[email protected]
+        with:
+          verbose: true

.pre-commit-config.yaml

@@ -58,19 +58,11 @@ repos:
     hooks:
       - id: check-branch-name
         args:
-          - '^main$'
-          - '^development$'
-          - '^devops/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^doc/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^feature/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^fix/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^hotfix/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^refactor/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^review/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
-          - '^enhancement/([a-z][a-z0-9]*)(-[a-z0-9]+)*$'
+        - "^main$"
+        - "^([a-z][a-z0-9]*)(-[a-z0-9]+)*$"
 
-  - repo: https://github.com/octue/pre-commit-hooks
-    rev: 0.5.0
+  - repo: https://github.com/octue/conventional-commits
+    rev: 0.9.0
     hooks:
       - id: check-commit-message-is-conventional
         stages: [commit-msg]

setup.py

@@ -16,7 +16,7 @@
 
 setup(
     name="twined",
-    version="0.5.2",
+    version="0.5.3",
     py_modules=[],
     install_requires=["jsonschema ~= 4.4.0", "python-dotenv"],
     url="https://www.github.com/octue/twined",