Skip to content

Update release workflow to use Trusted Publishing #10263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 8, 2025
Merged

Update release workflow to use Trusted Publishing #10263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 47 additions & 12 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,10 @@ permissions:
contents: read

jobs:
release-pypi:
name: Upload release to PyPI
build:
name: Build release assets
runs-on: ubuntu-latest
environment:
name: PyPI
url: https://pypi.org/project/pylint/
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the combined check needed?
Isn't release always connected to a tag?

Suggested change
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
if: github.event_name == 'release'

Also, there's now a convenient value for the ref type in the context:

Suggested change
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
if: github.ref_type == 'tag'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Didn't know about github.ref_type.

Isn't release always connected to a tag?

Yes, it should be. Created #10267 to just use github.event_name == 'release' for the check.

steps:
- name: Check out code from Github
uses: actions/[email protected]
Expand All @@ -31,15 +29,52 @@ jobs:
run: |
# Remove dist, build, and pylint.egg-info
# when building locally for testing!
python -m pip install twine build
python -m pip install build
- name: Build distributions
run: |
python -m build
- name: Upload release assets
uses: actions/[email protected]
with:
name: release-assets
path: dist/

release-pypi:
name: Upload release to PyPI
runs-on: ubuntu-latest
needs: ["build"]
environment:
name: PyPI
url: https://pypi.org/project/pylint/
permissions:
id-token: write
steps:
- name: Download release assets
uses: actions/[email protected]
with:
name: release-assets
path: dist/
- name: Upload to PyPI
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
env:
TWINE_REPOSITORY: pypi
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
run: |
twine upload --verbose dist/*
uses: pypa/gh-action-pypi-publish@release/v1

release-github:
name: Upload assets to Github release
runs-on: ubuntu-latest
needs: ["build"]
permissions:
contents: write
id-token: write
steps:
- name: Download release assets
uses: actions/[email protected]
with:
name: release-assets
path: dist/
- name: Sign the dists with Sigstore and upload assets to Github release
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not skip the entire job?

Copy link
Member Author

@cdce8p cdce8p Mar 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job shouldn't even start in the first place.

  • The workflow is only triggered on release -> published
  • The upload jobs (to Github and PyPI) need Build which is only run for github.event_name == 'release'

    pylint/.github/workflows/release.yml

    Lines 15 to 18 in 42aa204

    build:
    name: Build release assets
    runs-on: ubuntu-latest
    if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')

I usually prefer to be a bit more explicit with these checks when it comes to releases, even if not really necessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I had a feeling this was overly verbose..

uses: sigstore/[email protected]
with:
inputs: |
./dist/*.tar.gz
./dist/*.whl
3 changes: 3 additions & 0 deletions doc/whatsnew/fragments/10256.other
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Upload release assets to PyPI via Trusted Publishing.

Closes #10256
Loading