Add GitHub workflow for making releases #945
Conversation
|
I like the direction of this, but at first glance, it doesn't seem to take into account the discussion in #683. It also doesn't update the documented release process, which includes generating a changelog, and uses an existing GHA job. |
|
Thanks, wasn't aware of that issue. I'll read it and update as necessary, can also update docs of course! |
| - name: publish | ||
| uses: pypa/gh-action-pypi-publish@d7edd4c95736a5bc1260d38b5523f5d24338bc25 | ||
| with: | ||
| user: __token__ |
There was a problem hiding this comment.
This is not necessary, it's already the default
| user: __token__ |
| release-pypi: | ||
| needs: [build] | ||
| runs-on: ubuntu-latest | ||
| permissions: {} |
There was a problem hiding this comment.
I think contents: read may be necessary for the artifact download.
There was a problem hiding this comment.
Also, you could drop all the privileges on the workflow level additionally.
| if-no-files-found: warn | ||
|
|
||
| release-pypi: | ||
| needs: [build] |
There was a problem hiding this comment.
I strongly recommend putting that token in an environment:
| needs: [build] | |
| needs: [build] | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/project/twine/ |
The environment with the name pypi may be created automatically when this workflow runs. It will be empty.
But you can create it upfront and add the secret there. While on that setting page, also enable the approval requirement and a small cool-down timer.
| with: | ||
| name: built-packages | ||
| path: ./dist/ | ||
| if-no-files-found: warn |
| # Confusingly, this action also supports updating releases, not | ||
| # just creating them. This is what we want here, since we've manually | ||
| # created the release that triggered the action. | ||
| uses: softprops/action-gh-release@v1 |
There was a problem hiding this comment.
It is also possible to create discussions attached to the releases. Example: https://github.com/cherrypy/cheroot/releases/tag/v9.0.0 (there's a button at the bottom). I started doing this in my automations.
But I think, it only works on creation, not updating. The 📢 announcements discussion category should be pre-existing.
| name: Release | ||
|
|
||
| on: | ||
| release: |
There was a problem hiding this comment.
Lately I've been preferring the workflow_dispatch event — it allows me to type in the version number I want and both PyPI and GH releases get created with that.
I can also make Git updates like generating the changelog, bumping the version, making a tag, and pushing that as a part of the workflow, making sure all the steps are automated, lowering the possibility of human errors as much as possible.
| permissions: | ||
| id-token: write | ||
| outputs: | ||
| hashes: ${{ steps.hash.outputs.hashes }} |
| name: Build artifacts | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
Pretty sure nothing uses this. Did you mean to set contents: write for the upload action?
|
Can I overtake the PR? I would also configure trusted publishing. |
|
@chrysle I'd say go for it and make a new PR — Dustin is a busy man and I doubt he'll have time to rework this PR anytime soon... Though, the maintainers would still need to set up trusted publishing on the PyPI side. |
@chrysle Thanks for the offer. I'm happy to have you take a pass at it, but I think it's worth noting that it might take awhile to review. Also, if you haven't already, please read through all of the comments and their links, for context. |
Yes, please do! |
|
This looks to be covered by #1047 and can be closed. |
This PR implements a GitHub workflow to automate publication of Twine releases when GitHub releases are made, using https://github.com/pypa/gh-action-pypi-publish/ to publish to PyPI.
Needs
PYPI_TOKENto be set for the repo in order for this to succeed.