update publishing flow to use ni/python-actions #227
Conversation
|
Thank you for contributing! 👋 |
|
@bkeryan, does this look right? (also, not sure how to test before merging...) |
After merging, it will show up in the UI, but, to test before merging:
|
There was a problem hiding this comment.
See https://github.com/ni/nitypes-python/blob/main/.github/workflows/publish.yml for a working example
|
|
||
| - name: Upload Python package | ||
| if: ${{ github.event.release.target_commitish == 'main' || startsWith(github.event.release.target_commitish, 'releases/')}} | ||
| uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 |
There was a problem hiding this comment.
Trusted publishing will not work without specifying the "pypi" environment and "id-token: write" permissions. See https://github.com/ni/nitypes-python/blob/main/.github/workflows/publish.yml#L66
Also, it is not secure to run poetry install, pytest, etc. in the "pypi" environment. You should split the workflow into multiple jobs:
- build/test, upload artifact (default permissions)
- download artifact, upload to pypi ("pypi" environment, "id-token: write" permissions)
- update project version (default permissions)
Also, you can test the publish workflow with TestPyPI by creating an account on test.pypi.org, editing the workflow to use testpypi by default, and publishing a release in your personal fork of the repo. |
Publishing is currently broken due to using an old PAT.
As part of switching to OIDC based publishing, we should bring in the update ni/python-actions templates