Merge pull request #182 from kjd/github-pypi-actions

kjd · web-flow · commit 12d4dd133964 · 2024-08-22T15:39:12.000-07:00
Implement current best practice for using Github Actions for package building and PyPI distribution
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,35 +1,114 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+# Adapted from https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
 
-name: "Publish to PyPI"
+name: Publish to PyPI
+on: push
+jobs:
 
-on:
-  push:
-    tags:
-      - "*"
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
 
-permissions:
-  contents: "read"
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+    - name: Set up Python
+      uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
+      with:
+        python-version: "3.x"
+    - name: Install pypa/build
+      run: python3 -m pip install build --user
+    - name: Build a binary wheel and a source tarball
+      run: python3 -m build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+      with:
+        name: python-package-distributions
+        path: dist/
 
-jobs:
-  publish:
-    name: "Publish to PyPI"
-    runs-on: "ubuntu-latest"
+  publish-to-pypi:
+    name: >-
+      Publish to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+    - build
+    runs-on: ubuntu-latest
     environment:
-      name: "publish"
+      name: pypi
+      url: https://pypi.org/p/idna  # Replace <package-name> with your PyPI project name
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
     steps:
-    - name: "Checkout repository"
-      uses: "actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b"
+    - name: Download all the dists
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
 
-    - name: "Setup Python"
-      uses: "actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5"
+  github-release:
+    name: Sign and upload GitHub Release
+    needs:
+    - publish-to-pypi
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download the dists
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
       with:
-        python-version: "3.x"
+        name: python-package-distributions
+        path: dist/
+    - name: Sign with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v2.1.1
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --repo '${{ github.repository }}'
+        --notes ""
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
+
+#  publish-to-testpypi:
+#    name: Publish to Test PyPI
+#    needs:
+#    - build
+#    runs-on: ubuntu-latest
+
+#    environment:
+#      name: testpypi
+#      url: https://test.pypi.org/p/idna
 
-    - name: "Build dists"
-      run: |
-        python -m pip install build
-        python -m build
+#    permissions:
+#      id-token: write  # IMPORTANT: mandatory for trusted publishing
 
-    - name: "Publish to PyPI"
-      uses: "pypa/gh-action-pypi-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f"
+#    steps:
+#    - name: Download all the dists
+#      uses: actions/download-artifact@v4
+#      with:
+#        name: python-package-distributions
+#        path: dist/
+#    - name: Publish distribution to TestPyPI
+#      uses: pypa/gh-action-pypi-publish@release/v1
+#      with:
+#        verbose: true
+#        print-hash: true
+#        repository-url: https://test.pypi.org/legacy/
