From f3dc6c037f547a4828c541d2875e43e36ca25553 Mon Sep 17 00:00:00 2001 From: Johnnie Gray Date: Wed, 12 Jun 2024 12:16:03 -0700 Subject: [PATCH] update release action to trusted publishing --- .github/workflows/pypi-release.yml | 53 +++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml index 9c5e43c3..b50080eb 100644 --- a/.github/workflows/pypi-release.yml +++ b/.github/workflows/pypi-release.yml @@ -13,23 +13,25 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'jcmgray/quimb' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 name: Install Python with: - python-version: 3.8 + python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip python -m pip install build twine + - name: Build tarball and wheels run: | git clean -xdf git restore -SW . python -m build + - name: Check built artifacts run: | python -m twine check --strict dist/* @@ -40,7 +42,7 @@ jobs: else echo "✅ Looks good" fi - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: releases path: dist @@ -49,11 +51,11 @@ jobs: needs: build-artifacts runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 name: Install Python with: - python-version: 3.8 - - uses: actions/download-artifact@v3 + python-version: "3.12" + - uses: actions/download-artifact@v4 with: name: releases path: dist @@ -61,17 +63,33 @@ jobs: run: | ls -ltrh ls -ltrh dist + - name: Verify the built dist/wheel is valid if: github.event_name == 'push' run: | python -m pip install --upgrade pip python -m pip install dist/quimb*.whl + + upload-to-test-pypi: + needs: test-built-dist + if: github.event_name == 'push' + runs-on: ubuntu-latest + + environment: + name: pypi + url: https://test.pypi.org/p/quimb + permissions: + id-token: write + + steps: + - uses: actions/download-artifact@v4 + with: + name: releases + path: dist - name: Publish package to TestPyPI if: github.event_name == 'push' - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1.8.14 with: - user: __token__ - password: ${{ secrets.TESTPYPI_TOKEN }} repository-url: https://test.pypi.org/legacy/ verbose: true @@ -80,14 +98,19 @@ jobs: needs: test-built-dist if: github.event_name == 'release' runs-on: ubuntu-latest + + environment: + name: pypi + url: https://pypi.org/p/quimb + permissions: + id-token: write + steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 with: name: releases path: dist - name: Publish package to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1.8.14 with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} - verbose: true + verbose: true \ No newline at end of file