-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release policy and access #13446
Comments
I also do Gentoo packages, although like the Debian ones this isn't strictly part of the release process for Meson itself. I am happy to help out with releasing to github and PyPI, although I'm not set up to do MSI packages. I already sign all git commits if possible so also signing tags and tarballs is not a problem. |
PyPI publishing can be automated with Trusted Publishers; there is no need for token management, as permissions can be managed by GitHub environment settings. |
We need to make the (PGP-signed) release for github releases either way so I'm not entirely sure how much we'd save by automatically making a second copy for PyPI. |
Has anyone looked at how hard it would be to automate the signed github tarball and MSI installer? We've been doing the "trusted publishers" thing for vscode-meson, which has worked very well (although I might be a bus factor due to being the only one in the packaging orgs...) |
Only the tarball is signed though? So Trusted Publishing could be triggered on releases, and do the wheel and PyPI parts. |
Currently I do all the releases. Which is fine and works, but has a bus factor of one. So maybe it should be expanded. We currently do
So who should have access rights for these? All those with admin rights in Github? Someone else?
Another question is whether some of these could be automated? Like building and uploading PyPI packages when a new release is added to GH? All of these are already done with scripts so this is more of an issue of access token management.
The text was updated successfully, but these errors were encountered: