Testing the git action for publishing to pypi #2436
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2436 +/- ##
==========================================
+ Coverage 71.50% 81.35% +9.84%
==========================================
Files 54 49 -5
Lines 1783 1609 -174
Branches 221 208 -13
==========================================
+ Hits 1275 1309 +34
+ Misses 458 254 -204
+ Partials 50 46 -4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Please include a changelog entry and add Fixes #ISSUE_NUMBER to the PR description, as we describe in our README |
.github/workflows/publish.yml
Outdated
| @@ -0,0 +1,35 @@ | |||
| name: Publish to PyPI | |||
There was a problem hiding this comment.
issue, blocking: We already have code that's a bit more lightweight to handle pushing to PyPI and that's baked into the push.yaml script; could you consult -us or -core on this?
|
Also, please write Fixes #ISSUE in the description |
.github/workflows/push.yml
Outdated
| @@ -96,3 +96,29 @@ jobs: | |||
| run: docker build -t ghcr.io/policyengine/policyengine docker | |||
| - name: Push container | |||
| run: docker push ghcr.io/policyengine/policyengine | |||
| publish-to-pypi: | |||
| name: Publish to PyPI | |||
| if: github.event_name == 'release' | |||
There was a problem hiding this comment.
issue, blocking: This will only run when we publish GitHub releases, which we do not
I'd recommend following the setup we use in -us, but with minor modifications where necessary. This is the relevant code:
Publish:
runs-on: ubuntu-latest
if: |
(github.repository == 'PolicyEngine/policyengine-us')
&& (github.event.head_commit.message == 'Update PolicyEngine US')
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: 3.12
- name: Publish a git tag
run: ".github/publish-git-tag.sh || true"
- name: Install package
run: make install
- name: Build package
run: make
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.PYPI }}
skip-existing: true
.github/workflows/push.yml
Outdated
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| with: | ||
| user: __token__ | ||
| password: ${{ secrets.PYPI }} |
There was a problem hiding this comment.
issue, blocking: Passage of this token is a security risk
We do use tokens like these elsewhere, so I understand why you did it this way. That said, passing a permissive token like this in a workflow has a ton of security concerns. Please follow this guide as far as you can, then let me know if/when you need me to get any information from PyPI.
.github/workflows/push.yml
Outdated
| permissions: | ||
| id-token: write # Required for Trusted Publishing | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
nit, non-blocking: We don't typically have these blank lines between jobs
Please remove them
| pip install build | ||
|
|
||
| - name: Build package | ||
| run: python -m build |
There was a problem hiding this comment.
question, blocking?: Did you test this action at all locally?
| - name: Build package | ||
| run: python -m build | ||
|
|
||
| - name: Publish to PyPI via Trusted Publishing |
There was a problem hiding this comment.
question, blocking: Does this require configuration on our end within PyPI?
I believe it does, but haven't received any communication on it from your end.
Fixes #284