Skip to content

Enable trusted publishing (OIDC) #7622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 23, 2024
Merged

Enable trusted publishing (OIDC) #7622

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
32e3062
Set persist-credentials: false in release workflow
maresb Dec 22, 2024
12093b5
Enable trusted publishing (OIDC)
maresb Dec 22, 2024
92381ac
Add more comments to explain parameters
maresb Dec 23, 2024
2d7354b
Fix upload only on published, NOT push
maresb Dec 23, 2024
ea610c4
Make the upload conditional more specific
maresb Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 31 additions & 44 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,42 @@
name: release-pipeline

on:
push:
branches:
- main
release:
types:
- created
- published

jobs:
release-job:
build-package:
runs-on: ubuntu-latest
env:
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN_PYMC }}
permissions:
# write attestations and id-token are necessary for attest-build-provenance-github
attestations: write
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.7
# TODO: ideally, this pipeline should run parallelized tests in upstream jobs..
#- name: Install test tooling
# run: |
# pip install pytest pytest-cov nose nose-parameterized
# pip install -r requirements.txt
#- name: Run tests
# run: |
# pytest --cov=./pymc --cov-report term-missing pymc/
- name: Install release tooling
run: |
pip install build twine
- name: Build package
run: |
python -m build
- name: Check version number match
run: |
echo "GITHUB_REF: ${GITHUB_REF}"
# The GITHUB_REF should be something like "refs/tags/v1.2.3"
# Make sure the package version is the same as the tag
grep -Rq "^Version: ${GITHUB_REF:11}$" pymc.egg-info/PKG-INFO
- name: Publish to PyPI
run: |
twine check dist/*
twine upload --repository pypi --username __token__ --password ${PYPI_TOKEN} dist/*
test-install-job:
needs: release-job
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- uses: hynek/build-and-inspect-python-package@14c7e53f5d033cfa99f7af916fa59a6f7f356394 # v2.11.0
with:
attest-build-provenance-github: true

publish-package:
if: github.repository_owner == 'pymc-devs' && github.event_name == 'push' && github.ref == 'refs/heads/main'
environment: release
needs: build-package
runs-on: ubuntu-latest
permissions:
# write id-token is necessary for trusted publishing (OIDC)
id-token: write
steps:
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.7
- name: Give PyPI a chance to update the index
run: sleep 240
- name: Install from PyPI
run: |
pip install pymc==${GITHUB_REF:11}
- name: Download Distribution Artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- name: Publish Package to PyPI
uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
Loading