-
Notifications
You must be signed in to change notification settings - Fork 224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Separate jobs for publishing to TestPyPI and PyPI #3742
Conversation
Have a dedicated build distribution job, and split the publish to TestPyPI and PyPI jobs, to workaround attestation file issue. Xref pypa/gh-action-pypi-publish#283
|
||
steps: | ||
- name: Checkout | ||
uses: actions/[email protected] | ||
with: | ||
# fetch all history so that setuptools-scm works | ||
fetch-depth: 0 | ||
persist-credentials: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any specific reason to add the persist-credentials: false
line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was from the template at https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#checking-out-the-project-and-building-distributions, so I just added it in. The default is persist-credentials: true
according to https://github.com/actions/checkout/tree/v4.2.2?tab=readme-ov-file#checkout-v4, which would mean the credentials do not persist between jobs (e.g. from the build
job to the publish-to-testpypi
and publish-pypi
jobs and is supposed to be less secure if I'm reading actions/checkout#485 correctly. Setting to persist-credentials: false
should be more secure, though unsure if it really matters.
Co-authored-by: Dongdong Tian <[email protected]>
Co-authored-by: Wei Ji <[email protected]>
Description of proposed changes
Have a dedicated build distribution job, and split the publish to TestPyPI and PyPI jobs, to workaround attestation file issue. Xref pypa/gh-action-pypi-publish#283
References:
Fixes #3736
Preview:
Reminders
make format
andmake check
to make sure the code follows the style guide.doc/api/index.rst
.Slash Commands
You can write slash commands (
/command
) in the first line of a comment to performspecific operations. Supported slash command is:
/format
: automatically format and lint the code