Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: PyO3/maturin
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: Phil-V/maturin
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: trusted-publishing
Choose a head ref
Can’t automatically merge. Don’t worry, you can still create the pull request.
  • 1 commit
  • 2 files changed
  • 1 contributor

Commits on Oct 9, 2023

  1. Use trusted publishing by default in generate-ci

    Modify the release action in the github CI workflow generated by
    `maturin generate-ci` to use PyPI's trusted publishing.
    
    Add trusted publishing section in the distribution docs.
    
    Add test for emscripten platform in generate-ci.
    Phil-V committed Oct 9, 2023
    Copy the full SHA
    9111edd View commit details
Showing with 133 additions and 13 deletions.
  1. +8 −0 guide/src/distribution.md
  2. +125 −13 src/ci.rs
8 changes: 8 additions & 0 deletions guide/src/distribution.md
Original file line number Diff line number Diff line change
@@ -289,3 +289,11 @@ Options:
-h, --help
Print help information (use `-h` for a summary)
```

### Using PyPI's trusted publishing

By default, the workflow provided by `generate-ci` will publish the release artifacts to PyPI without manual API token management using [trusted publishing (OpenID Connect)](https://docs.pypi.org/trusted-publishers/).

Make sure to follow the steps listed in [PyPI's documentation](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) to set up your GitHub project as a trusted publisher in the PyPI project settings before attempting to run the workflow.

For more information, consult the [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi) on the subject.
138 changes: 125 additions & 13 deletions src/ci.rs
Original file line number Diff line number Diff line change
@@ -460,11 +460,14 @@ jobs:\n",
"#,
needs = needs.join(", ")
));
conf.push_str(
r#" permissions:
id-token: write
"#,
);
if platforms.contains(&Platform::Emscripten) {
conf.push_str(
r#" permissions:
# Used to upload release artifacts
contents: write
r#" contents: write
"#,
);
}
@@ -475,8 +478,6 @@ jobs:\n",
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:
command: upload
args: --non-interactive --skip-existing *
@@ -513,6 +514,7 @@ jobs:\n",
#[cfg(test)]
mod tests {
use super::GenerateCI;
use super::Platform;
use crate::BridgeModel;
use expect_test::expect;

@@ -634,14 +636,14 @@ mod tests {
runs-on: ubuntu-latest
if: "startsWith(github.ref, 'refs/tags/')"
needs: [linux, windows, macos, sdist]
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v3
with:
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:
command: upload
args: --non-interactive --skip-existing *"#]];
@@ -747,14 +749,14 @@ mod tests {
runs-on: ubuntu-latest
if: "startsWith(github.ref, 'refs/tags/')"
needs: [linux, windows, macos]
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v3
with:
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:
command: upload
args: --non-interactive --skip-existing *"#]];
@@ -923,14 +925,14 @@ mod tests {
runs-on: ubuntu-latest
if: "startsWith(github.ref, 'refs/tags/')"
needs: [linux, windows, macos, sdist]
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v3
with:
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:
command: upload
args: --non-interactive --skip-existing *"#]];
@@ -1041,17 +1043,127 @@ mod tests {
runs-on: ubuntu-latest
if: "startsWith(github.ref, 'refs/tags/')"
needs: [linux, windows, macos, sdist]
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v3
with:
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
with:
command: upload
args: --non-interactive --skip-existing *"#]];
expected.assert_eq(&conf);
}

#[test]
fn test_generate_github_platform_emscripten() {
let conf = GenerateCI {
platforms: vec![Platform::Emscripten],
..Default::default()
}
.generate_github(
"example",
&BridgeModel::Bindings("pyo3".to_string(), 7),
true,
)
.unwrap()
.lines()
.skip(5)
.collect::<Vec<_>>()
.join("\n");
let expected = expect![[r#"
name: CI
on:
push:
branches:
- main
- master
tags:
- '*'
pull_request:
workflow_dispatch:
permissions:
contents: read
jobs:
emscripten:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: pip install pyodide-build
- name: Get Emscripten and Python version info
shell: bash
run: |
echo EMSCRIPTEN_VERSION=$(pyodide config get emscripten_version) >> $GITHUB_ENV
echo PYTHON_VERSION=$(pyodide config get python_version | cut -d '.' -f 1-2) >> $GITHUB_ENV
pip uninstall -y pyodide-build
- uses: mymindstorm/setup-emsdk@v12
with:
version: ${{ env.EMSCRIPTEN_VERSION }}
actions-cache-folder: emsdk-cache
- uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- run: pip install pyodide-build
- name: Build wheels
uses: PyO3/maturin-action@v1
with:
target: wasm32-unknown-emscripten
args: --release --out dist -i ${{ env.PYTHON_VERSION }}
sccache: 'true'
rust-toolchain: nightly
- name: Upload wheels
uses: actions/upload-artifact@v3
with:
name: wasm-wheels
path: dist
sdist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build sdist
uses: PyO3/maturin-action@v1
with:
command: sdist
args: --out dist
- name: Upload sdist
uses: actions/upload-artifact@v3
with:
name: wheels
path: dist
release:
name: Release
runs-on: ubuntu-latest
if: "startsWith(github.ref, 'refs/tags/')"
needs: [emscripten, sdist]
permissions:
id-token: write
contents: write
steps:
- uses: actions/download-artifact@v3
with:
name: wheels
- name: Publish to PyPI
uses: PyO3/maturin-action@v1
with:
command: upload
args: --non-interactive --skip-existing *
- uses: actions/download-artifact@v3
with:
name: wasm-wheels
path: wasm
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v1
with:
files: |
wasm/*.whl
prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') }}"#]];
expected.assert_eq(&conf);
}
}