gha: automate PyPI release of python bindings

Switching to the "Trusted Publisher" model with PyPI means I don't have to worry about remembering to uploading updates correctly each time. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
openSUSE · Oct 9, 2024 · 229d8b8 · 229d8b8
1 parent 30814e7
commit 229d8b8
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/.github/workflows/bindings-python.yml b/.github/workflows/bindings-python.yml
@@ -148,12 +148,41 @@ jobs:
  # Run smoke-tests.
  - run: make -C examples/python smoke-test
 
+ # TODO: Should we move this to a separate workflow?
+ release-pypi:
+ if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+ needs:
+ - build-pyproject
+ runs-on: ubuntu-latest
+ environment:
+ name: release-pypi
+ url: "https://pypi.org/p/pathrs"
+ permissions:
+ id-token: write
+ steps:
+ - name: download built python-pathrs
+ uses: actions/download-artifact@v4
+ with:
+ name: python-3.x-pathrs-dist
+ path: ${{ env.PYTHON_DIST }}
+ # PyPI doesn't let us upload our native wheel because we aren't building
+ # using the restrictive manylinux set of libraries (because we depend on
+ # libpathrs.so).
+ - name: remove wheel from python-pathrs
+ run: rm -fv ${{ env.PYTHON_DIST }}/*.whl
+ - name: upload python-pathrs to pypi
+ uses: pypa/gh-action-pypi-publish@release/v1
+ with:
+ packages-dir: ${{ env.PYTHON_DIST }}
+
  complete:
+ if: ${{ ! failure() && ! cancelled() }}
  needs:
  - black
  - mypy
  - build-pyproject
  - smoke-test
+ - release-pypi
  runs-on: ubuntu-latest
  steps:
  - run: echo "Python CI jobs completed successfully."