Comments (5)
Don't do that. Build in a separate job. Check out the URL on the repo front page and links in readme for good examples. There's a bigger PyPUG guide. Feel free to make a PR to make the link more visible. Otherwise, it's an action and putting huge workflow examples in the readme is a non starter. Different projects would have different workflows, anyway.
from gh-action-pypi-publish.
Enjoy a potential vulnerability with OIDC, then. Also, I'm talking about separate jobs, not actions or pipelines. Check the terminology you use. This repository is not meant to hold a copy of GitHub's docs anyway. Anyway, I'm not putting dangerous advice there either, it'd be irresponsible. If there's a reasonable improvement, though, I might consider it, as long as it's in the scope of this project.
from gh-action-pypi-publish.
So, same action, different job for the build?
from gh-action-pypi-publish.
Same workflow, different job. Action is a reusable step within a job.
from gh-action-pypi-publish.
There was actually a full workflow at the bottom of this page.
This is the best resource for this. Ideally this would be in the README under a <details>
block or something.
Full workflow
name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
on: push
jobs:
build:
name: Build distribution 📦
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install pypa/build
run: >-
python3 -m
pip install
build
--user
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Store the distribution packages
uses: actions/upload-artifact@v3
with:
name: python-package-distributions
path: dist/
publish-to-pypi:
name: >-
Publish Python 🐍 distribution 📦 to PyPI
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
needs:
- build
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/<package-name> # Replace <package-name> with your PyPI project name
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v3
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
github-release:
name: >-
Sign the Python 🐍 distribution 📦 with Sigstore
and upload them to GitHub Release
needs:
- publish-to-pypi
runs-on: ubuntu-latest
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: Download all the dists
uses: actions/download-artifact@v3
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
run: >-
gh release create
'${{ github.ref_name }}'
--repo '${{ github.repository }}'
--notes ""
- name: Upload artifact signatures to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'
publish-to-testpypi:
name: Publish Python 🐍 distribution 📦 to TestPyPI
needs:
- build
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/p/<package-name>
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v3
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
from gh-action-pypi-publish.
Related Issues (20)
- Make this action play nicely with new gh upload/download artifact actions v4 HOT 7
- [docs] Emphasize the dangers of enabling `skip-existing` in README
- "Only one sdist may be uploaded per release" with skip-existing enabled HOT 2
- Provide a better troubleshooting message when used from a 3P PR
- raise BadZipFile("Bad magic number for central directory") HOT 7
- invalid-publisher: valid token, but no corresponding publisher part 2 HOT 16
- Invalid API Token: token with user restriction without a user HOT 5
- Publishing to PyPI fails with HTTPError: 403 Forbidden HOT 4
- Feature request: add `--dry-run` equivalent parameter HOT 8
- `twine check` in action, but passes when dockerfile built locally HOT 4
- option to disable twine progressbar
- HTTPError: 403 Forbidden or invalid-publisher: a valid token is recognized, but no corresponding publisher is found HOT 8
- [TODO] Update the 2FA nudge error message to use present tense
- InvalidDistribution: Unknown distribution format: 'artifact' when not specifying an artifact name HOT 12
- Document permission requirements for private repositories HOT 2
- Token request failed: the index produced an unexpected 503 response HOT 6
- Can't use https://pypi.org/p/<your-pypi-project-name> HOT 1
- Publish package fails: KeyError: 'home-page' HOT 18
- Deprecate the `password` setting in favor of `token`?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gh-action-pypi-publish.