|
84 | 84 | # to next Github Actions job in line. |
85 | 85 | get-python-version-info: |
86 | 86 | runs-on: ubuntu-latest |
| 87 | + environment: pypi |
87 | 88 | permissions: write-all |
88 | 89 |
|
89 | 90 | # Output which is passed to the PyPi publication job |
@@ -150,12 +151,21 @@ jobs: |
150 | 151 | # |
151 | 152 | # BEGIN of Job 2 |
152 | 153 | # |
153 | | - # This section will create the PyPi package and first deploy it to PyPi test. |
154 | | - # If successful, it will also try to issue a PyPi Prod deployment afterwards |
| 154 | + # This section will create the PyPi package and deploy it to PyPi test. |
| 155 | + # in case a pre-release was selected |
155 | 156 | # |
156 | | - deploy-to-pypi: |
| 157 | + # NOTE: When using PyPi's 'Trusted Publishing", one cannot use the same |
| 158 | + # OIDC token for both Test and Prod - otherwise, error |
| 159 | + # "Attestation generation failure: The following distributions already have publish attestations" |
| 160 | + # will be thrown. See https://github.com/pypa/gh-action-pypi-publish/issues/319 for details |
| 161 | + # This is the only reason for Test and Prod not sharing the same work flow |
| 162 | + # |
| 163 | + deploy-to-pypi-test: |
157 | 164 | runs-on: ubuntu-latest |
| 165 | + environment: pypi |
158 | 166 | needs: get-python-version-info |
| 167 | + permissions: |
| 168 | + id-token: write |
159 | 169 |
|
160 | 170 | steps: |
161 | 171 |
|
@@ -187,17 +197,65 @@ jobs: |
187 | 197 | if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') |
188 | 198 | uses: pypa/gh-action-pypi-publish@release/v1 |
189 | 199 | with: |
190 | | - user: __token__ |
191 | | - password: ${{ secrets.TEST_PYPI_API_TOKEN }} |
| 200 | + #user: __token__ |
| 201 | + #password: ${{ secrets.TEST_PYPI_API_TOKEN }} |
192 | 202 | repository-url: https://test.pypi.org/legacy/ |
193 | 203 |
|
| 204 | + # |
| 205 | + # END of Job 2 |
| 206 | + # |
| 207 | + # |
| 208 | + # BEGIN of Job 3 |
| 209 | + # |
| 210 | + # This section will create the PyPi package and fdeploy it to PyPi Prod. |
| 211 | + # |
| 212 | + # NOTE: When using PyPi's 'Trusted Publishing", one cannot use the same |
| 213 | + # OIDC token for both Test and Prod - otherwise, error |
| 214 | + # "Attestation generation failure: The following distributions already have publish attestations" |
| 215 | + # will be thrown. See https://github.com/pypa/gh-action-pypi-publish/issues/319 for details |
| 216 | + # This is the only reason for Test and Prod not sharing the same work flow |
| 217 | + # |
| 218 | + deploy-to-pypi-prod: |
| 219 | + runs-on: ubuntu-latest |
| 220 | + environment: pypi |
| 221 | + needs: [get-python-version-info, deploy-to-pypi-test] |
| 222 | + permissions: |
| 223 | + id-token: write |
| 224 | + |
| 225 | + steps: |
| 226 | + |
| 227 | + - uses: actions/checkout@v5 |
| 228 | + # Set up Python environment |
| 229 | + - name: Set up Python |
| 230 | + if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') && !github.event.release.prerelease |
| 231 | + uses: actions/setup-python@v6 |
| 232 | + with: |
| 233 | + python-version: '${{ env.PYTHON_VERSION }}' |
| 234 | + |
| 235 | + # Install all dependencies |
| 236 | + - name: Install dependencies |
| 237 | + if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') && !github.event.release.prerelease |
| 238 | + run: | |
| 239 | + python -m pip install --upgrade pip |
| 240 | + pip install build |
| 241 | +
|
| 242 | + # Export the program version; content will be picked up by the setup.py script |
| 243 | + - name: Export program version |
| 244 | + if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') && !github.event.release.prerelease |
| 245 | + run: echo GITHUB_PROGRAM_VERSION='${{ needs.get-python-version-info.outputs.my-program-version }}' >> $GITHUB_ENV |
| 246 | + |
| 247 | + # Build the package. The export MUST be part of THIS step |
| 248 | + # Otherwise, the Python setup job will not see this information |
| 249 | + - name: Build package |
| 250 | + if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') && !github.event.release.prerelease |
| 251 | + run: python -m build |
| 252 | + |
194 | 253 | # Publish everything to Prod PyPi but only if it is not a prerelease |
195 | 254 | - name: Publish package to Prod PyPi |
196 | 255 | if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags') && !github.event.release.prerelease |
197 | 256 | uses: pypa/gh-action-pypi-publish@release/v1 |
198 | | - with: |
199 | | - user: __token__ |
200 | | - password: ${{ secrets.PROD_PYPI_API_TOKEN }} |
201 | | - # |
202 | | - # END of Job 2 |
| 257 | + #with: |
| 258 | + #user: __token__ |
| 259 | + #password: ${{ secrets.PROD_PYPI_API_TOKEN }} |
203 | 260 | # |
| 261 | + # END of Job 3 |
0 commit comments