Skip to content

Commit

Permalink
Change workflow and documentation to trusted publishing
Browse files Browse the repository at this point in the history
  • Loading branch information
grst committed Nov 28, 2023
1 parent 9ec0f0d commit ba6be2e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 22 deletions.
33 changes: 15 additions & 18 deletions {{cookiecutter.project_name}}/.github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,23 @@ on:
tags:
- "*.*.*"

# Use "trusted publishing", see https://docs.pypi.org/trusted-publishers/
jobs:
release:
name: Release
name: Upload release to PyPI
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/{{ cookiecutter.package_name }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Set up Python 3.10
uses: actions/setup-python@v4
with:
python-version: "3.10"

- name: Install hatch
run: pip install hatch

- name: Build project for distribution
run: hatch build

- name: Publish a Python distribution to PyPI
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.11"
cache: "pip"
- run: pip install build
- run: python -m build
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}
13 changes: 9 additions & 4 deletions {{cookiecutter.project_name}}/docs/template_usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,14 +158,17 @@ On the RTD dashboard choose "Import a Project" and follow the instructions to ad
If your project is private, there are ways to enable docs rendering on [readthedocs.org][] but it is more cumbersome and requires a different subscription for read the docs. See a guide [here](https://docs.readthedocs.io/en/stable/guides/importing-private-repositories.html).
### The release Github workflow
### Automating PyPI released using GitHub actions
#### Configuring the Github workflow
Tags adhering to `"*.*.*"` that are pushed to the `main` branch will trigger the release Github workflow that automatically builds and uploads the Python package to [PyPI][].
For this to work, the `PYPI_API_TOKEN` Github secret needs to be set to the value of the [PyPI][] token.
See [Creating PyPI tokens][] for instructions on how to create a [PyPI][] token.
Finally, set your `PYPI_API_TOKEN` Github secret equal to the value of the just created [PyPI][] token by following [creating Github secrets][].
For this to work, you'll need to setup GitHub as a [trusted publisher][] on PyPI. To set this up, login to
[PyPI][], and navigate to your project. In the left sidebar, choose "Publishing", and add the repository details.
The "Workflow name" needs to bet set to `release.yaml`. In most cases, you can leave the "Environment name" empty.
For more details, please refer to the official [PyPI guide for setting up trusted publishing][pypi-trusted-publishing-guide].


#### Behind the scenes

Expand Down Expand Up @@ -194,6 +197,8 @@ Provide your username and password when requested and then go check out your pac

For more information, follow the [Python packaging tutorial][].

[pypi-trusted-publishing-guide]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
[trusted publisher]: https://docs.pypi.org/trusted-publishers/
[creating github secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets
[creating pypi tokens]: https://pypi.org/help/#apitoken
[managing github releases]: https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository
Expand Down

0 comments on commit ba6be2e

Please sign in to comment.