Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automate releasing #339

Open
brettcannon opened this issue Oct 13, 2020 · 6 comments
Open

Automate releasing #339

brettcannon opened this issue Oct 13, 2020 · 6 comments

Comments

@brettcannon
Copy link
Member

As https://packaging.pypa.io/en/latest/development/release-process/ points out, it's already mostly automated. I think if we added a PyPI token and then used https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ with the version number to release as the sole input we can make it so we can cut a release entirely in the browser.

@dHannasch
Copy link

Are you picturing this as a release.yml in .github/workflows? With the GPG password and API token mentioned by https://packaging.pypa.io/en/latest/development/release-process.html as secrets stored on GitHub? (A bit like https://github.com/pypa/gh-action-pypi-publish, but with workflow_dispatch like you mentioned?)

@brettcannon
Copy link
Member Author

Yeah, basically. Since there are multiple maintainers of this project, all of whom have the ability/clearance to do a release, automating it so it's as much of a button click as possible would be good.

@dHannasch dHannasch mentioned this issue Jun 23, 2021
@pradyunsg
Copy link
Member

x-ref #273

@pradyunsg
Copy link
Member

Noting for whenever we get to this: the current best practice is to use trusted publishers, which can also be combined with workflows blocking on approvals.

@brettcannon
Copy link
Member Author

Yep, I was actually thinking about this issue last week when I was setting trusted publishers up on some of my personal projects. 🙂

@webknjaz
Copy link
Member

With the GPG password

GPG support has been deprecated on the PyPI but we've added a Sigstore usage example to my PyPUG guide: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages. It's passwordless and is integrated the same way as trusted publishing — through OIDC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants