From 1558dfe515a046123fe32dc8b8837941182b7c83 Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 10:14:53 +0200 Subject: [PATCH 1/3] Migrate to Trusted Publishing (pypi) --- .github/workflows/merge.yml | 27 +++++++++-------- .github/workflows/verify.yml | 58 +++++++++++++++++++++--------------- CHANGELOG.md | 4 +++ 3 files changed, 52 insertions(+), 37 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 86aef558e..a954e7e44 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -13,12 +13,14 @@ on: types: closed branches: - main - - async jobs: publishing: name: Build and publish Python 🐍 distributions 📦 to PyPI runs-on: ubuntu-latest + environment: pypi + permissions: + id-token: write # Only trigger on merges, not just closes if: github.event.pull_request.merged == true steps: @@ -29,16 +31,15 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ env.DEFAULT_PYTHON }} - - name: Install pypa/build - run: >- - python3 -m - pip install - build - --user - - name: Build a binary wheel and a source tarball - run: python3 -m build + - name: Prepare uv + run: | + pip install uv + uv venv --seed venv + - name: Build + run: | + . venv/bin/activate + uv build - name: Publish distribution 📦 to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - password: ${{ secrets.pypi_token }} - skip_existing: true + run: | + . venv/bin/activate + uv publish diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 7a78313e7..22ec6976a 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -273,6 +273,9 @@ jobs: test-publishing: name: Build and publish Python 🐍 distributions 📦 to TestPyPI runs-on: ubuntu-latest + environment: testpypi + permissions: + id-token: write needs: - cache - prepare @@ -281,34 +284,41 @@ jobs: steps: - name: Check out committed code uses: actions/checkout@v4 - - name: Set up Python ${{ env.DEFAULT_PYTHON }} - id: python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.DEFAULT_PYTHON }} - - name: Create or reuse cache - id: cache-reuse - uses: ./.github/actions/restore-venv - with: - cache-key: ${{ needs.cache.outputs.cache-key }} - python-version: ${{ steps.python.outputs.python-version }} - venv-dir: ${{ env.VENV }} - precommit-home: ${{ env.PRE_COMMIT_HOME }} - - name: Install pypa/build + - name: Prepare uv run: | + pip install uv + uv venv --seed venv . venv/bin/activate - uv pip install build - - name: Build a binary wheel and a source tarball + uv pip install toml + - name: Check for existing package on TestPyPI + id: check_package run: | . venv/bin/activate - python3 -m build - - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - continue-on-error: true - with: - password: ${{ secrets.testpypi_token }} - repository_url: https://test.pypi.org/legacy/ - skip_existing: true + PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])") + PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])") + + # Use jq to check for the version in the releases object + EXISTING_VERSIONS=$(curl -s "https://test.pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]') + + echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION" + + if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then + echo "Package version already exists. Skipping upload." + echo "should_publish=false" >> $GITHUB_OUTPUT + else + echo "Package version does not exist. Proceeding with upload." + echo "should_publish=true" >> $GITHUB_OUTPUT + fi + - name: Build + if: steps.check_package.outputs.should_publish == 'true' + run: | + . venv/bin/activate + uv build + - name: Publish distribution 📦 to TestPyPI + if: steps.check_package.outputs.should_publish == 'true' + run: | + . venv/bin/activate + uv publish --publish-url https://test.pypi.org/legacy/ complexity: name: Process test complexity diff --git a/CHANGELOG.md b/CHANGELOG.md index ea852f188..6683927c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## Ongoing / v0.44.8a0 + +- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) - released as alpha 0.44.8a0 to demonstrate functionality + ## v0.44.7 - 2025-07-08 - PR [282](https://github.com/plugwise/python-plugwise-usb/pull/282): Finalize switch implementation From 4747c66be020d9284d942bf95ff036e37b65e749 Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 11:31:48 +0200 Subject: [PATCH 2/3] Skip check for tool-merging as well --- .github/workflows/merge.yml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index a954e7e44..bbf5934da 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -26,20 +26,38 @@ jobs: steps: - name: Check out committed code uses: actions/checkout@v4 - - name: Set up Python ${{ env.DEFAULT_PYTHON }} - id: python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.DEFAULT_PYTHON }} - name: Prepare uv run: | pip install uv uv venv --seed venv + . venv/bin/activate + uv pip install toml + - name: Check for existing package on PyPI + id: check_package + run: | + . venv/bin/activate + PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])") + PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])") + + # Use jq to check for the version in the releases object + EXISTING_VERSIONS=$(curl -s "https://pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]') + + echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION" + + if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then + echo "Package version already exists. Skipping upload." + echo "should_publish=false" >> $GITHUB_OUTPUT + else + echo "Package version does not exist. Proceeding with upload." + echo "should_publish=true" >> $GITHUB_OUTPUT + fi - name: Build + if: steps.check_package.outputs.should_publish == 'true' run: | . venv/bin/activate uv build - name: Publish distribution 📦 to PyPI + if: steps.check_package.outputs.should_publish == 'true' run: | . venv/bin/activate uv publish From 2dc11643f6a03002f4c35254984be1ff433570c8 Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 11:54:04 +0200 Subject: [PATCH 3/3] CRAI suggestions --- .github/workflows/merge.yml | 3 ++- .github/workflows/verify.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index bbf5934da..c20366dd9 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -20,7 +20,8 @@ jobs: runs-on: ubuntu-latest environment: pypi permissions: - id-token: write + contents: read # Required by actions/checkout + id-token: write # Needed for OIDC-based Trusted Publishing # Only trigger on merges, not just closes if: github.event.pull_request.merged == true steps: diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 22ec6976a..4c91efca9 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -275,7 +275,8 @@ jobs: runs-on: ubuntu-latest environment: testpypi permissions: - id-token: write + contents: read # Required by actions/checkout + id-token: write # Needed for OIDC-based Trusted Publishing needs: - cache - prepare