From 614bd7ac1685bd95420b3df8c3679be888dfb947 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 13:20:47 -0600 Subject: [PATCH 1/4] CI: Run release action on release publication Replaces running on tag push, since this new way is more focused and dependent on actually making the release. --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe1f08c41..bdbf56b71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,10 +1,10 @@ name: Build and upload to PyPI -# Only build on tagged releases +# Only build on published releases on: - push: - tags: - - '*' + release: + types: + - published jobs: build: From 63986ab815ef0002255760c414ef6509bd3e123b Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 13:30:04 -0600 Subject: [PATCH 2/4] CI: Make release workflow two separate build and publish jobs This restricts access to the PyPI token to ony the publish stage, rather than all code installed and executed during the setup and build parts. We can also restrict this to the PyPI environment. --- .github/workflows/release.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bdbf56b71..25ce87ade 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,31 @@ jobs: - name: Create sdist run: python setup.py build_ext sdist + - name: Save built packages as artifact + uses: actions/upload-artifact@v3 + with: + name: packages-${{ runner.os }}-${{ matrix.python-version }} + path: dist/ + if-no-files-found: error + retention-days: 5 + + publish: + name: Publish to PyPI + needs: build + environment: + name: PyPI + url: https://pypi.org/project/cartopy + runs-on: ubuntu-18.04 + + steps: + - name: Download packages + uses: actions/download-artifact@v3 + + - name: Consolidate packages for upload + run: | + mkdir dist + cp packages-*/* dist/ + - name: Publish Package uses: pypa/gh-action-pypi-publish@master with: From de45e712822314acea827409cc79e4e178037a1c Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 13:32:45 -0600 Subject: [PATCH 3/4] CI: Swap to a pinned version of the PyPA package This is better security practice than using master/main. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25ce87ade..63a3ed369 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,7 +58,7 @@ jobs: cp packages-*/* dist/ - name: Publish Package - uses: pypa/gh-action-pypi-publish@master + uses: pypa/gh-action-pypi-publish@v1.8.5 with: user: __token__ password: ${{ secrets.pypi_token }} From b074fdc4e8025b1db5ad736cad44b8e2fdec4451 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 13:33:20 -0600 Subject: [PATCH 4/4] CI: Switch PyPI release to use "trusted publishing" --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63a3ed369..410de01a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,6 +46,8 @@ jobs: environment: name: PyPI url: https://pypi.org/project/cartopy + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing runs-on: ubuntu-18.04 steps: @@ -59,6 +61,3 @@ jobs: - name: Publish Package uses: pypa/gh-action-pypi-publish@v1.8.5 - with: - user: __token__ - password: ${{ secrets.pypi_token }}