Merge pull request #129 from tahoe-lafs/127.pypi-trusted-publishing #284
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build sdist+wheel packages using GitHub Actions, and publish them on | |
| # TestPyPI (on pull requests and tags) and PyPI (on tags). | |
| # | |
| # The build_wheels job is mostly adopted from | |
| # https://cibuildwheel.readthedocs.io/en/stable/setup/ | |
| # | |
| # The upload_pypi and upload_testpypi jobs are adopted from Python | |
| # Packaging User Guide. | |
| name: "Packages" | |
| on: | |
| push: | |
| branches: | |
| # Do build on pushes to master. | |
| - "master" | |
| tags: | |
| # Do build on pushes to any release tag See | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet | |
| # for documentation about how patterns are matched. | |
| - "zfec-*" | |
| # Do build on pushes to any branch with an open pull request. | |
| pull_request: | |
| # Do build on different release events | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release | |
| release: | |
| types: [published, created, edited] | |
| jobs: | |
| build_wheels: | |
| name: "${{ matrix.wheel-selector }}-* wheel on ${{ matrix.os }}" | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| # NOTE: when updating the matrix below, be sure to keep OS and | |
| # Python versions in sync with the ones in test.yml. | |
| matrix: | |
| os: | |
| - "macos-latest" | |
| - "ubuntu-22.04" | |
| - "windows-2022" | |
| wheel-selector: | |
| - "cp39" | |
| - "cp310" | |
| - "cp311" | |
| - "cp312" | |
| - "cp313" | |
| - "pp38" | |
| - "pp39" | |
| - "pp310" | |
| steps: | |
| - name: Check out zfec sources | |
| uses: actions/checkout@v4 | |
| with: | |
| # Check out the full history, including tags. This is necessary to | |
| # construct non-release version numbers. | |
| fetch-depth: 0 | |
| - name: Build wheels | |
| uses: pypa/cibuildwheel@v2.21.3 | |
| with: | |
| output-dir: wheelhouse | |
| env: | |
| # Configure cibuildwheel to build just some of the total wheels we | |
| # could build for this architecture. This yields better parallelism | |
| # on GitHub Actions execution. | |
| CIBW_BUILD: "${{ matrix.wheel-selector }}-*" | |
| # Just make sure that Python can use zfec package. | |
| CIBW_TEST_COMMAND: python -c "import zfec; print(zfec.__version__)" | |
| # Build `universal2` and `arm64` wheels on an Intel runner. | |
| CIBW_ARCHS_MACOS: "x86_64 universal2 arm64" | |
| # Skip testing arm64 builds on Intel Macs. | |
| CIBW_TEST_SKIP: "*-macosx_arm64 *-macosx_universal2:arm64" | |
| # Use newer manylinux so we get newer gcc and can take advantage of | |
| # speed boost from x86-64-v2, at the cost of not supporting some old | |
| # patch releases of Python 3.9 if they haven't updated pip in their | |
| # virtualenv. | |
| CIBW_MANYLINUX_X86_64_IMAGE: "manylinux_2_28" | |
| - uses: actions/upload-artifact@v4 | |
| name: Upload artifacts | |
| with: | |
| name: wheels-${{ matrix.wheel-selector }}-on-${{ matrix.os }} | |
| path: ./wheelhouse/*.whl | |
| build_sdist: | |
| name: Build source distribution | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| name: Check out zfec sources | |
| with: | |
| # Check out the full history, including tags. This is necessary to | |
| # construct non-release version numbers. | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v4 | |
| name: Install Python | |
| with: | |
| python-version: '3.11' | |
| - name: Build sdist | |
| run: | | |
| python3 setup.py sdist | |
| - uses: actions/upload-artifact@v4 | |
| name: Upload artifacts | |
| with: | |
| name: sdist | |
| path: dist/*.tar.gz | |
| # Both `upload_pypi` and `upload_testpypi` jobs are based on | |
| # "Publishing package distribution releases using GitHub Actions CI/CD | |
| # workflows" page of Python Package User Guide. Specifically see the | |
| # section under "The whole CI/CD workflow". | |
| # | |
| # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#the-whole-ci-cd-workflow | |
| # | |
| # The important bit here is that we use GitHub Actions as the "trusted | |
| # publisher" to publish packages on both PyPI and TestPyPI. We do not | |
| # use long-lived tokens anymore. Instead, both PyPI and TestPyPI are | |
| # configured to trust this GH Actions workflow, and the workflow will | |
| # use a short-lived tokens minted by them. | |
| # | |
| # https://docs.pypi.org/trusted-publishers/ | |
| # | |
| # There is a bit of duplication below but that seems to be necessary | |
| # because the environment configuration is different for PyPI and | |
| # TestPyPI. Perhaps the duplication is not necessary, but let us just | |
| # stick with the Python Package User Guide's recommendation. | |
| upload_pypi: | |
| name: Publish zfec on PyPI | |
| # Publish to PyPI on release tag pushes. | |
| if: >- | |
| github.event_name == 'push' && | |
| startsWith(github.event.ref, 'refs/tags/zfec-') | |
| needs: | |
| - "build_wheels" | |
| - "build_sdist" | |
| runs-on: "ubuntu-latest" | |
| environment: | |
| name: "release" | |
| url: "https://pypi.org/project/zfec/" | |
| # This permission is mandatory for trusted publishing | |
| permissions: | |
| id-token: write | |
| steps: | |
| # Download all artifacts previously built by this workflow to the dist | |
| # directory where the publish step can find them. These are the sdist | |
| # and all of the wheels build by the other jobs. | |
| - uses: "actions/download-artifact@v4" | |
| with: | |
| pattern: "*" | |
| path: "dist" | |
| merge-multiple: true | |
| - name: "Publish to PyPI" | |
| uses: "pypa/gh-action-pypi-publish@v1.12.4" | |
| with: | |
| # Run `twine upload --verbose`. | |
| verbose: true | |
| upload_testpypi: | |
| # Publish both builds triggered by pull requests and builds | |
| # triggered by release tags to TestPyPI. | |
| name: Publish zfec on TestPyPI | |
| needs: | |
| - "build_wheels" | |
| - "build_sdist" | |
| runs-on: "ubuntu-latest" | |
| environment: | |
| name: "testpypi" | |
| url: "https://test.pypi.org/project/zfec/" | |
| # This permission is mandatory for trusted publishing | |
| permissions: | |
| id-token: write | |
| steps: | |
| # Do the same thing as the download-artfact step in | |
| # upload_testpypi job. | |
| - uses: "actions/download-artifact@v4" | |
| with: | |
| pattern: "*" | |
| path: "dist" | |
| merge-multiple: true | |
| - name: "Publish to TestPyPI" | |
| uses: "pypa/gh-action-pypi-publish@v1.12.4" | |
| with: | |
| # Override the default in order to upload to TestPyPi. | |
| repository-url: https://test.pypi.org/legacy/ | |
| # Run `twine upload --verbose`. | |
| verbose: true |