Updated releaser workflows available at 67474b6 (#25)

* Automatic update of the releaser workflows * Update release documentation * Prettify RELEASE.md --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Frédéric Collonval <fcollonval@users.noreply.github.com> Co-authored-by: Frédéric Collonval <fcollonval@gmail.com>
jupyterlab · Jun 22, 2023 · ebecc2a · ebecc2a
1 parent 67474b6
commit ebecc2a
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 7 deletions.
diff --git a/template/.github/workflows/prep-release.yml b/template/.github/workflows/prep-release.yml
@@ -32,7 +32,6 @@ jobs:
  token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
  version_spec: ${{ github.event.inputs.version_spec }}
  post_version_spec: ${{ github.event.inputs.post_version_spec }}
- target: ${{ github.event.inputs.target }}
  branch: ${{ github.event.inputs.branch }}
  since: ${{ github.event.inputs.since }}
  since_last_stable: ${{ github.event.inputs.since_last_stable }}

diff --git a/template/.github/workflows/publish-release.yml b/template/.github/workflows/publish-release.yml
@@ -15,6 +15,10 @@ on:
 jobs:
  publish_release:
  runs-on: ubuntu-latest
+ permissions:
+ # This is useful if you want to use PyPI trusted publisher
+ # and NPM provenance
+ id-token: write
  steps:
  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 
@@ -23,22 +27,21 @@ jobs:
  uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
  with:
  token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
- target: ${{ github.event.inputs.target }}
  branch: ${{ github.event.inputs.branch }}
  release_url: ${{ github.event.inputs.release_url }}
  steps_to_skip: ${{ github.event.inputs.steps_to_skip }}
 
  - name: Finalize Release
  id: finalize-release
  env:
- PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
- PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }}
- TWINE_USERNAME: __token__
+ # The following are needed if you use legacy PyPI set up
+ # PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+ # PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }}
+ # TWINE_USERNAME: __token__
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2
  with:
  token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
- target: ${{ github.event.inputs.target }}
  release_url: ${{ steps.populate-release.outputs.release_url }}
 
  - name: "** Next Step **"

diff --git a/template/RELEASE.md.jinja b/template/RELEASE.md.jinja
@@ -64,7 +64,41 @@ Check out the [workflow documentation](https://jupyter-releaser.readthedocs.io/e
 
 Here is a summary of the steps to cut a new release:
 
-- Add `ADMIN_GITHUB_TOKEN`, `PYPI_TOKEN` and `NPM_TOKEN` to the [Github Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in the repository
+- Add tokens to the [Github Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in the repository:
+ - `ADMIN_GITHUB_TOKEN` (with "public_repo" and "repo:status" permissions); see the [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+ - `NPM_TOKEN` (with "automation" permission); see the [documentation](https://docs.npmjs.com/creating-and-viewing-access-tokens)
+- Set up PyPI
+
+<details><summary>Using PyPI trusted publisher (modern way)</summary>
+
+- Set up your PyPI project by [adding a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
+ - The _workflow name_ is `publish-release.yml` and the _environment_ should be left blank.
+- Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
+
+</details>
+
+<details><summary>Using PyPI token (legacy way)</summary>
+
+- If the repo generates PyPI release(s), create a scoped PyPI [token](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github). We recommend using a scoped token for security reasons.
+
+- You can store the token as `PYPI_TOKEN` in your fork's `Secrets`.
+
+ - Advanced usage: if you are releasing multiple repos, you can create a secret named `PYPI_TOKEN_MAP` instead of `PYPI_TOKEN` that is formatted as follows:
+
+ ```text
+ owner1/repo1,token1
+ owner2/repo2,token2
+ ```
+
+ If you have multiple Python packages in the same repository, you can point to them as follows:
+
+ ```text
+ owner1/repo1/path/to/package1,token1
+ owner1/repo1/path/to/package2,token2
+ ```
+
+</details>
+
 - Go to the Actions panel
 - Run the "Step 1: Prep Release" workflow
 - Check the draft changelog