ci: use trusted publishing for release #1142
Conversation
See https://docs.pypi.org/trusted-publishers/. Loosely based on pytest CI.
|
We'll see if it works on release, might need fixups... |
| uses: hynek/build-and-inspect-python-package@2dbbf2b252d3a3c7cec7a810e3ed5983bd17b13a # v2.8.0 | ||
|
|
||
| deploy: | ||
| if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') && github.repository == 'pytest-dev/pytest-django' |
There was a problem hiding this comment.
FYI, there's a github.ref_name available now.
There was a problem hiding this comment.
Not sure about github.ref_name but maybe github.ref_type is better for this?
| path: dist | ||
|
|
||
| - name: Publish package | ||
| uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6 # v1.10.0 |
There was a problem hiding this comment.
With this version, it's possible to opt in to uploading digital attestations, FYI.
There was a problem hiding this comment.
Will look into it for the next release
| pip install --upgrade build | ||
|
|
||
| - name: Build package | ||
| run: python -m build |
There was a problem hiding this comment.
It's usually nice to keep it in the main workflow and put the job building the artifacts in front of the tests. Then, it'd be possible to test whatever's going to be uploaded, as opposed to building something new and potentially differing.
There was a problem hiding this comment.
Agree, but I didn't want to complicate/slow down the test CI for now, but wanted to at least do it right for the deploy workflow.
See https://docs.pypi.org/trusted-publishers/. Loosely based on pytest CI.