diff --git a/.yamllint b/.yamllint index 97c08cfc..68bf02c4 100644 --- a/.yamllint +++ b/.yamllint @@ -1,2 +1,10 @@ -indentation: - indent-sequences: false +--- + +extends: default + +rules: + indentation: + level: error + indent-sequences: false + +... diff --git a/Dockerfile b/Dockerfile index a97e302a..241d14ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.9-slim +FROM python:3.11-slim LABEL "maintainer" "Sviatoslav Sydorenko " LABEL "repository" "https://github.com/pypa/gh-action-pypi-publish" @@ -7,9 +7,19 @@ LABEL "homepage" "https://github.com/pypa/gh-action-pypi-publish" ENV PYTHONDONTWRITEBYTECODE 1 ENV PYTHONUNBUFFERED 1 +ENV PIP_NO_CACHE_DIR 1 + +ENV PATH "/root/.local/bin:${PATH}" +ENV PYTHONPATH "/root/.local/lib/python3.11/site-packages" + +COPY requirements requirements RUN \ - pip install --upgrade --no-cache-dir pip-with-requires-python && \ - pip install --upgrade --no-cache-dir --prefer-binary twine + PIP_CONSTRAINT=requirements/runtime-prerequisites.txt \ + pip install --user --upgrade --no-cache-dir \ + -r requirements/runtime-prerequisites.in && \ + PIP_CONSTRAINT=requirements/runtime.txt \ + pip install --user --upgrade --no-cache-dir --prefer-binary \ + -r requirements/runtime.in WORKDIR /app COPY LICENSE.md . diff --git a/README.md b/README.md index 789fe698..3c05b438 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,13 @@ This text suggests a minimalistic usage overview. For more detailed walkthrough check out the [PyPA guide]. +## 🌇 `master` branch sunset ❗ + +The `master` branch version has been sunset. Please, change the GitHub +Action version you use from `master` to `release/v1` or use an exact +tag, or a full Git commit SHA. + + ## Usage To use the action add the following step to your workflow file (e.g. @@ -18,14 +25,13 @@ To use the action add the following step to your workflow file (e.g. - name: Publish a Python distribution to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} ``` -> **Pro tip**: instead of using branch pointers, like `master`, pin versions of -Actions that you use to tagged versions or sha1 commit identifiers. This will -make your workflows more secure and better reproducible, saving you from sudden -and unpleasant surprises. +> **Pro tip**: instead of using branch pointers, like `unstable/v1`, pin +versions of Actions that you use to tagged versions or sha1 commit identifiers. +This will make your workflows more secure and better reproducible, saving you +from sudden and unpleasant surprises. A common use case is to upload packages only on a tagged commit, to do so add a filter to the step: @@ -43,7 +49,6 @@ So the full step would look like: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} ``` @@ -105,7 +110,6 @@ The action invocation in this case would look like: - name: Publish package to TestPyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ password: ${{ secrets.TEST_PYPI_API_TOKEN }} repository_url: https://test.pypi.org/legacy/ ``` @@ -120,7 +124,6 @@ would now look like: - name: Publish package to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} packages_dir: custom-dir/ ``` @@ -174,6 +177,18 @@ It will show SHA256, MD5, BLAKE2-256 values of files to be uploaded. print_hash: true ``` +### Specifying a different username + +The default username value is `__token__`. If you publish to a custom +registry that does not provide API tokens, like `devpi`, you may need to +specify a custom username and password pair. This is how it's done. + +```yml + with: + user: guido + password: ${{ secrets.DEVPI_PASSWORD }} +``` + ## License The Dockerfile and associated scripts and documentation in this project @@ -188,7 +203,7 @@ https://github.com/pypa/gh-action-pypi-publish/issues/11#issuecomment-530480449 https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ [PyPI API token]: https://pypi.org/help/#apitoken [Python distribution packages]: -https://packaging.python.org/glossary/#term-distribution-package +https://packaging.python.org/glossary/#term-Distribution-Package [SWUbanner]: https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct-single.svg [SWUdocs]: diff --git a/requirements/runtime-prerequisites.in b/requirements/runtime-prerequisites.in new file mode 100644 index 00000000..02a20713 --- /dev/null +++ b/requirements/runtime-prerequisites.in @@ -0,0 +1 @@ +pip-with-requires-python diff --git a/requirements/runtime-prerequisites.txt b/requirements/runtime-prerequisites.txt new file mode 100644 index 00000000..8cad830d --- /dev/null +++ b/requirements/runtime-prerequisites.txt @@ -0,0 +1,12 @@ +# +# This file is autogenerated by pip-compile with Python 3.11 +# by the following command: +# +# pip-compile --allow-unsafe --output-file=requirements/runtime-prerequisites.txt --resolver=backtracking --strip-extras requirements/runtime-prerequisites.in +# +pip-with-requires-python==1.0.1 + # via -r requirements/runtime-prerequisites.in + +# The following packages are considered to be unsafe in a requirements file: +pip==22.3.1 + # via pip-with-requires-python diff --git a/requirements/runtime.in b/requirements/runtime.in new file mode 100644 index 00000000..abf4ef42 --- /dev/null +++ b/requirements/runtime.in @@ -0,0 +1,11 @@ +twine + +# NOTE: `pkginfo` is a transitive dependency for us that is coming from Twine. +# NOTE: It is declared here only to avoid installing a broken combination of +# NOTE: the distribution packages. This should be removed once a fixed version +# NOTE: of Twine is out. +# Refs: +# * https://github.com/pypa/gh-action-pypi-publish/issues/107 +# * https://github.com/pypa/twine/issues/940 +# * https://github.com/pypa/twine/pull/941 +pkginfo != 1.9.0 diff --git a/requirements/runtime.txt b/requirements/runtime.txt new file mode 100644 index 00000000..40b6ff62 --- /dev/null +++ b/requirements/runtime.txt @@ -0,0 +1,72 @@ +# +# This file is autogenerated by pip-compile with Python 3.11 +# by the following command: +# +# pip-compile --allow-unsafe --output-file=requirements/runtime.txt --resolver=backtracking --strip-extras requirements/runtime.in +# +bleach==5.0.1 + # via readme-renderer +certifi==2022.9.24 + # via requests +cffi==1.15.1 + # via cryptography +charset-normalizer==2.1.1 + # via requests +commonmark==0.9.1 + # via rich +cryptography==38.0.4 + # via secretstorage +docutils==0.19 + # via readme-renderer +idna==3.4 + # via requests +importlib-metadata==5.1.0 + # via + # keyring + # twine +jaraco-classes==3.2.3 + # via keyring +jeepney==0.8.0 + # via + # keyring + # secretstorage +keyring==23.11.0 + # via twine +more-itertools==9.0.0 + # via jaraco-classes +pkginfo==1.9.2 + # via + # -r requirements/runtime.in + # twine +pycparser==2.21 + # via cffi +pygments==2.13.0 + # via + # readme-renderer + # rich +readme-renderer==37.3 + # via twine +requests==2.28.1 + # via + # requests-toolbelt + # twine +requests-toolbelt==0.10.1 + # via twine +rfc3986==2.0.0 + # via twine +rich==12.6.0 + # via twine +secretstorage==3.3.3 + # via keyring +six==1.16.0 + # via bleach +twine==4.0.1 + # via -r requirements/runtime.in +urllib3==1.26.13 + # via + # requests + # twine +webencodings==0.5.1 + # via bleach +zipp==3.11.0 + # via importlib-metadata