From aad9434c58a1ef238f500d8a92012c56bc215aef Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Fri, 28 Jul 2023 07:24:45 +0100 Subject: [PATCH 1/3] Publish packages to PyPi with trusted publishers Signed-off-by: Pedro Algarvio --- .github/workflows/release.yml | 15 +++++++++++---- .github/workflows/testing.yml | 11 +++++++---- changelog/151.trivial.rst | 1 + 3 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 changelog/151.trivial.rst diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86d6a264..b1a0bc54 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,19 +5,26 @@ on: types: [created] jobs: - Publish: + publish: + name: Publish Release + environment: release runs-on: ubuntu-latest + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Set up Python uses: actions/setup-python@v4 with: python-version: 3.9 + - name: Install Nox run: | python -m pip install nox + - name: Build a binary wheel and a source tarball run: | nox -e build @@ -25,6 +32,6 @@ jobs: - name: Publish distribution 📦 to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} - print_hash: true + print-hash: true + skip-existing: true + verify-metadata: true diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index d57760ce..245d7900 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -435,6 +435,9 @@ jobs: Build: runs-on: ubuntu-latest + environment: release + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing needs: - Docs - PyLint @@ -463,7 +466,7 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.TEST_PYPI_TOKEN }} - repository_url: https://test.pypi.org/legacy/ - print_hash: true + repository-url: https://test.pypi.org/legacy/ + print-hash: true + skip-existing: true + verify-metadata: true diff --git a/changelog/151.trivial.rst b/changelog/151.trivial.rst new file mode 100644 index 00000000..98e85654 --- /dev/null +++ b/changelog/151.trivial.rst @@ -0,0 +1 @@ +Publish packages to PyPi with trusted publishers From 9f8bdbfa50e5e2767193f97a644c853149bbbcd7 Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Fri, 28 Jul 2023 07:28:36 +0100 Subject: [PATCH 2/3] Enable dependabot to update the GH Actions versions on a weekly basis Signed-off-by: Pedro Algarvio --- .github/dependabot.yml | 8 ++++++++ changelog/151.trivial.rst | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..df4d15b3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" diff --git a/changelog/151.trivial.rst b/changelog/151.trivial.rst index 98e85654..cbe750bb 100644 --- a/changelog/151.trivial.rst +++ b/changelog/151.trivial.rst @@ -1 +1,4 @@ -Publish packages to PyPi with trusted publishers +Some internal processes improvements: + +* Publish packages to PyPi with trusted publishers +* Enable dependabot to update the GH Actions versions on a weekly basis From a55993d217a54b07fa1d6f6586a3d0b5f34913e9 Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Fri, 28 Jul 2023 07:32:09 +0100 Subject: [PATCH 3/3] Fix bad action step title Signed-off-by: Pedro Algarvio --- .github/workflows/testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 245d7900..70beeb2c 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -99,7 +99,7 @@ jobs: run: | nox --force-color -e lint --install-only - - name: Build Docs + - name: Lint Code env: SKIP_REQUIREMENTS_INSTALL: YES run: |