8000 update publishing workflow by briantist · Pull Request #1000 · hvac/hvac · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

update publishing workflow #1000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 17, 2023
Merged

update publishing workflow #1000

merged 1 commit into from
Jun 17, 2023

Conversation

briantist
Copy link
Contributor

The recent release of v1.1.1 has failed to upload to PyPI, due to issues with the credentials we're using.

Rather than replace the existing credentials with an API token, it seemed like a good opportunity to revisit our publishing workflow and use the new OIDC support for publishing to PyPI.

I have:

  • added updated our PyPI to add our GitHub publishing workflow as a trusted publisher.
  • added a new deployment environment in GitHub called pypi-publishing for running the workflow; it limits the branch that it can run against and has some additional restrictions which we can tweak in the future.

This PR changes the publishing workflow in the following ways:

  • the single job has been split into 3 jobs
  • the build job is responsible for publishing the package itself; it has access only to the repository contents and it produces a build artifact
  • the asset job is new; it downloads the artifact and adds it as a release asset, that way our package is directly downloadable from the releases page (this is a nice-to-have)
  • the publish job downloads the artifact, and then publishes it to PyPI. It has no access to repository contents and it runs in the dedicated publish environment
  • the latter two jobs can run in parallel because they don't depend on each other, but they both depend on the build job completing first
  • poetry is no longer used to publish the artifact, in favor of using the official PyPI github action which directly supports the OIDC integration nicely
  • the credentials we have stored in the repository are not used anymore, and once we have a working implementation with OIDC, they will be deleted

Testing note

This workflow is triggered on release publishing, and as a result, it cannot be tested in this PR, nor can it be tested when this PR is merged to develop. I will have to rebase the merged changes into main before I can try it.

This is not an ideal situation. Changes to this workflow may require several rounds of iteration, but I don't want to put up a PR directly to main due to some difficulty with our current release workflow:

There may be more PRs after this to continue this work.

@briantist briantist added skip-changelog will not be shown in the auto-generated changelog maintenance General technical debt labels Jun 17, 2023
@briantist briantist requested a review from a team as a code owner June 17, 2023 18:34
@briantist briantist self-assigned this Jun 17, 2023
@briantist briantist merged commit 097bfde into hvac:develop Jun 17, 2023
@briantist briantist deleted the publish/pypi-oidc branch June 17, 2023 18:39
@briantist briantist mentioned this pull request Jun 17, 2023
Closed
@briantist briantist restored the publish/pypi-oidc branch June 17, 2023 19:00
@briantist briantist mentioned this pull request Jun 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@briantist briantist

Labels
maintenance General technical debt skip-changelog will not be shown in the auto-generated changelog
Projects
None yet
Milestone
No milestone
Development 36DB

Successfully merging this pull request may close these issues.
1 participant
@briantist
0