-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the GHA workflow for publishing to PyPI and eliminate discouraged practices #120
Comments
Thank you! The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense. I'd be happy to move it there and continue maintaining it there. |
Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella. |
Hey @saghul, I've found an invitation to join the repository in my inbox that I missed in April… Would you mind re-sending it? |
@saghul ^ |
Hey! Sure thing! |
@saghul thanks, finally we're in sync :) |
Not sure how I can do that, WTF? Since this is my personal account I can only add you as a collaborator. |
Oh… I forgot this is how it works. We need a “mule” account in between. So you probably need to transfer it to me, and I'd transfer it to the org then. |
GH will keep the redirects on the HTTP and Git levels even with such a double move, by the way. |
@saghul so I've got an idea of a mule-org and made one. Let's test using it as a trampoline instead... |
Done! |
I looked at the new "repo transfer" interface and realized that they seem to have a direct transfer possibility now... So I was probably overengineering here :) |
@saghul now that it's in, could you give me “Owner” on PyPI, so I could transfer it over there and configure tokenless publishing for the later GHA->PyPI integration? |
Same username there? |
yep |
@saghul plz let me know when you do that and I'll cross that item off my list ;) Everything else does not strictly require my involvement (or yours for that matter), so maybe @Dreamsorcerer or @bdraco would have a minute to pick up those items. |
I've updated the checklist in the initial post. |
Invited you to pypi! |
Thanks! I moved it and adjusted the privileges (the org is the only owner, others are maintainers so they show up in the UI on the project page). |
Configured trust on the PyPI side similar to other projects. Ideally, the unified workflow should move into |
Feel free to go ahead! |
Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (pypa/gh-action-pypi-publish@1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.
Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.
Action items:
release/v1
for stable rolling updates, or concrete tags/commit SHAs + dependabot)with:
PYPI_PASSWORD
secret from the repository settings on GitHubattestations: true
underwith:
(this is a new, experimental digital signing feature of the action)pypi
with required reviews in the repo settingssetup.py
withpython -Im build
— this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behaviorP.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.Moving
aiodns
under the @aio-libs umbrella:The text was updated successfully, but these errors were encountered: