ci: PyPI publish workflow (Trusted Publishing)#25
Merged
Conversation
Automate the manual `twine upload` step. Builds sdist+wheel, runs `twine check`, verifies the release tag matches the pyproject version, then publishes via PyPI Trusted Publishing (OIDC) — no stored API token. One-time PyPI-side setup documented in the workflow header (add trusted publisher: owner=sillok-os, repo=sillok, workflow=publish.yml, env=pypi). Signed-off-by: peterkimpmp <tykim21@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automates the manual
twine uploadstep used for every release so far (0.1.0a7,0.2.0a2,0.2.0a3,0.3.0a1were all hand-uploaded).Adds
.github/workflows/publish.yml:workflow_dispatchfor manual re-run).buildjob:python -m build→twine check→ verifies the release tag matchespyprojectversion (guards the v0.3.0a1-style tag↔version parity we enforce manually).publishjob: PyPI Trusted Publishing (OIDC) viapypa/gh-action-pypi-publish— no API token stored as a secret.Why
Until now GitHub release and PyPI upload were two separate manual steps; missing the second one left
STATUS.md'spypi.org/.../0.3.0a1/link as a 404 (fixed by a manual upload). This closes that gap permanently.One-time setup required (maintainer, PyPI side)
PyPI → project
sillok→ Settings → Publishing → Add a trusted publisher:sillok-os· Repositorysillok· Workflowpublish.yml· EnvironmentpypiAfter that, publishing a Release auto-uploads the matching dist.
Validation
python -m yamlparse OK.Upstream: peterkimpmp/aipm#663