-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pivot PyPI publishing to use trusted publishers #1001
Conversation
This commit updates the wheel job CI configuration to leverage PyPI's trusted publisher mechanism. Moving forward the bot account we've been using will be deleted (as it will require 2fa) and the rustworkx github repository's wheels.yml workflow has been setup as a trusted publisher. This commit updates the job configuration per: https://docs.pypi.org/trusted-publishers/using-a-publisher/ to autheticate the job directly against pypi for publishing the package files without needign any user credentials.
Pull Request Test Coverage Report for Build 6562574063
💛 - Coveralls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but I think we should trigger it once before 0.14 to publish the current state to TestPyPI. Apparently it's not very hard:
repository-url: https://test.pypi.org/legacy/
It's a good thing you asked me to test this, I just setup my fork to push to This is actually documented see: https://github.com/pypa/gh-action-pypi-publish#non-goals I'll adjust the job to work with this and then retest. |
### Summary This PR follows Qiskit/rustworkx#1001 to update the release CI workflow to use PyPI's trusted publisher mechanism.
Aside from the issue on non-linux runners, the trusted publisher upload works as expected to test pypyi: |
An unfortunate surprise but I am glad we caught it. Upload artifacts seems like extra steps but I don’t think they’ll add Windows/mac support ever by the wording of their documentation |
Ok, I've updated the job definition in: 781014a to use a a shared upload stage. Then I pushed another test to my fork branch on test pypi here: mtreinish@284e055 https://github.com/mtreinish/retworkx/actions/runs/6552138251 (the retworkx job failure is because I didn't bother configuring the trusted publisher pipeline for test pypi on retworkx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
### Summary This PR follows Qiskit/rustworkx#1001 to update the release CI workflow to use PyPI's trusted publisher mechanism. (cherry picked from commit cfb47e2)
### Summary This PR follows Qiskit/rustworkx#1001 to update the release CI workflow to use PyPI's trusted publisher mechanism.
This commit updates the wheel job CI configuration to leverage PyPI's trusted publisher mechanism. Moving forward the bot account we've been using will be deleted (as it will require 2fa) and the rustworkx github repository's wheels.yml workflow has been setup as a trusted publisher. This commit updates the job configuration per:
https://docs.pypi.org/trusted-publishers/using-a-publisher/
to autheticate the job directly against pypi for publishing the package files without needign any user credentials.