Open
Conversation
|
|
||
| jobs: | ||
| deploy: | ||
| # Always build & lint package. |
Member
There was a problem hiding this comment.
This comment is redundant, it is covered by the name.
| # This workflow is triggered two ways: | ||
| # | ||
| # 1. When a tag is created, the workflow will upload the package to | ||
| # 1. When a commit is made, the workflow will upload the package to |
Member
There was a problem hiding this comment.
Hmm, I won't be able to do releases in one PR now, right? It'll require me to do two.
| with: | ||
| repository-url: https://test.pypi.org/legacy/ | ||
|
|
||
| # Publish to PyPI on GitHub Releases. |
Member
There was a problem hiding this comment.
Similarly redundant with the name and comment.
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 0 |
Member
There was a problem hiding this comment.
Why? Does it need the entire history?
|
|
||
| - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0 | ||
|
|
||
| # Publish to Test PyPI on every commit on main. |
Member
There was a problem hiding this comment.
Won't this fail due to duplicate version numbers?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This follows the https://github.com/python/blurb/blob/main/.github/workflows/release.yml pattern as much as possible, which is very similar to the other PyPI Trusted Publishing workflows we have under https://github.com/python/, which will help ease maintenance burden.
As before, it publishes to Test PyPI for commits to main, and to prod PyPI when releases are created.
The main difference is we build the artifacts (sdist and wheel) in an isolated job then upload as GH artifacts. Then another isolated job will download and publish to the relevant index.
This isolates the installation of build deps from the job that uploads, and helps prevent supply chain attacks.
It will also run when we're not in "publish mode", and verify the artifacts can be built. We also get a nice summary of the packages and their contents. For example:
This also includes extra linting of artifacts. There was a bunch of "W002: Wheel contains duplicate files" warnings:
I've ignored these, as I think these are inherent to how tzdata is built? Anyway, this is pre-existing in the last published wheel:
check-wheel-contents --no-config tzdata-2026.2-py2.py3-none-any.whl