diff --git a/.cruft.json b/.cruft.json index cbda7ab1..5027132f 100644 --- a/.cruft.json +++ b/.cruft.json @@ -1,6 +1,6 @@ { "template": "https://github.com/cthoyt/cookiecutter-snekpack", - "commit": "0618364d751132ea40c35ef4720a350dc028bcbe", + "commit": "1884310d930f56787c96d4eba45bcb4a5225f7cb", "checkout": null, "context": { "cookiecutter": { diff --git a/.github/workflows/cruft.yml b/.github/workflows/cruft.yml index 7442c9f5..07aa4d2b 100644 --- a/.github/workflows/cruft.yml +++ b/.github/workflows/cruft.yml @@ -2,9 +2,7 @@ name: Update repository with Cruft -permissions: - contents: write - pull-requests: write +permissions: {} on: workflow_dispatch: @@ -13,6 +11,9 @@ on: jobs: update: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest strategy: fail-fast: true diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ebf81a3b..29de0f43 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,6 +4,10 @@ name: Tests +# by default, give the GITHUB_TOKEN no permissions +# See https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token +permissions: {} + on: push: branches: [ main ] @@ -13,6 +17,11 @@ on: jobs: lint: name: Code Quality + permissions: + # give only read-only access to the contents of the repository + # this is the only permission this job requires, so keep it to the least privilege + # i.e., not to issues, discussions, actions, etc. + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -31,6 +40,8 @@ jobs: docs: name: Documentation + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -56,6 +67,8 @@ jobs: run: uvx -p ${{ matrix.python-version }} --with tox-uv tox -e docs-test tests: name: Tests + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: matrix: diff --git a/README.md b/README.md index d95dbb94..71f3bd30 100644 --- a/README.md +++ b/README.md @@ -231,30 +231,15 @@ You only have to do the following steps once. #### Configuring your machine's connection to PyPI -You have to do the following steps once per machine. Create a file in your home directory called -`.pypirc` and include the following: - -```ini -[distutils] -index-servers = - pypi - testpypi - -[pypi] -username = __token__ -password = - -# This block is optional in case you want to be able to make test releases to the Test PyPI server -[testpypi] -repository = https://test.pypi.org/legacy/ -username = __token__ -password = +You have to do the following steps once per machine. + +```console +$ uv tool install keyring +$ keyring set https://upload.pypi.org/legacy/ __token__ +$ keyring set https://test.pypi.org/legacy/ __token__ ``` -Note that since PyPI is requiring token-based authentication, we use `__token__` as the user, verbatim. -If you already have a `.pypirc` file with a `[distutils]` section, just make sure that there is an `index-servers` -key and that `pypi` is in its associated list. More information on configuring the `.pypirc` file can -be found [here](https://packaging.python.org/en/latest/specifications/pypirc). +Note that this deprecates previous workflows using `.pypirc`. #### Uploading to PyPI @@ -273,8 +258,7 @@ This script does the following: and [`docs/source/conf.py`](docs/source/conf.py) to not have the `-dev` suffix 2. Packages the code in both a tar archive and a wheel using [`uv build`](https://docs.astral.sh/uv/guides/publish/#building-your-package) -3. Uploads to PyPI using [`twine upload`](https://github.com/pypa/twine). - This will be replaced soon with `uv publish` (see https://github.com/cthoyt/cookiecutter-snekpack/issues/29) +3. Uploads to PyPI using [`uv publish`](https://docs.astral.sh/uv/guides/publish/#publishing-your-package). 4. Push to GitHub. You'll need to make a release going with the commit where the version was bumped. 5. Bump the version to the next patch. If you made big changes and want to bump the version by minor, you can use `tox -e bumpversion -- minor` after. diff --git a/pyproject.toml b/pyproject.toml index a0776107..52707466 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,6 +26,7 @@ classifiers = [ "Framework :: Pytest", "Framework :: tox", "Framework :: Sphinx", + "Natural Language :: English", "Programming Language :: Python", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", @@ -33,6 +34,7 @@ classifiers = [ "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", "Programming Language :: Python :: 3 :: Only", + "Typing :: Typed", ] keywords = [ "snekpack", # please keep this keyword to credit the cookiecutter-snekpack template diff --git a/tox.ini b/tox.ini index b3f2888c..d4062bfc 100644 --- a/tox.ini +++ b/tox.ini @@ -220,34 +220,19 @@ commands = # 3. Get account recovery codes # 4. Set up 2-Factor Authentication # 5. Get an API token from https://pypi.org/manage/account/token/ -# 6. Create a file called .pypirc in the home directory if it does not already exist. -# 7. Add the following content to the .pypirc file -# -# [distutils] -# index-servers= -# pypi -# testpypi -# -# [pypi] -# username = __token__ -# password = -# -# If there's already an `index-servers =` list, just make sure you add `pypi` to it. -# More information about .pypirc can be found at https://packaging.python.org/en/latest/specifications/pypirc/ +# 6. Install keyring with `uv tool install keyring` +# 7. Add your token to keyring with `keyring set https://upload.pypi.org/legacy/ __token__` [testenv:release] description = Release the code to PyPI so users can pip install it skip_install = true -passenv = - TWINE_USERNAME - TWINE_PASSWORD deps = {[testenv:build]deps} - twine >= 1.5.0 + uv + keyring commands = {[testenv:build]commands} - twine check dist/* - twine upload --skip-existing dist/* + uv publish --username __token__ --keyring-provider subprocess --publish-url https://upload.pypi.org/legacy/ [testenv:finish] description = @@ -256,8 +241,6 @@ description = skip_install = true passenv = HOME - TWINE_USERNAME - TWINE_PASSWORD deps = {[testenv:release]deps} bump-my-version @@ -282,35 +265,19 @@ allowlist_externals = # 3. Get account recovery codes # 4. Set up 2-Factor Authentication # 5. Get an API token from https://test.pypi.org/manage/account/token/ -# 6. Create a file called .pypirc in the home directory if it does not already exist. -# 7. Add the following content to the .pypirc file -# -# [distutils] -# index-servers= -# pypi -# testpypi -# -# [testpypi] -# repository = https://test.pypi.org/legacy/ -# username = __token__ -# password = -# -# If there's already an `index-servers =` list, just make sure you add `testpypi` to it. -# More information about .pypirc can be found at https://packaging.python.org/en/latest/specifications/pypirc/ +# 6. Install keyring with `uv tool install keyring` +# 7. Add your token to keyring with `keyring set https://test.pypi.org/legacy/ __token__` [testenv:testrelease] description = Release the code to the test PyPI site skip_install = true -passenv = - TWINE_USERNAME - TWINE_PASSWORD deps = {[testenv:build]deps} - twine >= 1.5.0 + uv + keyring commands = {[testenv:build]commands} - twine check dist/* - twine upload --skip-existing --repository testpypi dist/* + uv publish --username __token__ --keyring-provider subprocess --publish-url https://test.pypi.org/legacy/ [testenv:testfinish] description = @@ -319,8 +286,6 @@ description = skip_install = true passenv = HOME - TWINE_USERNAME - TWINE_PASSWORD deps = {[testenv:testrelease]deps} bump-my-version