8000 update publishing workflow by briantist · Pull Request #1002 · hvac/hvac · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

update publishing workflow #1002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 17, 2023
Merged

update publishing workflow #1002

merged 1 commit into from
Jun 17, 2023

Conversation

briantist
Copy link
Contributor

This is a re-submission of #1000, after updating the default branch of the project from develop to main, due to #980 .

Original content follows.

The recent release of v1.1.1 has failed to upload to PyPI, due to issues with the credentials we're using.

Rather than replace the existing credentials with an API token, it seemed like a good opportunity to revisit our publishing workflow and use the new OIDC support for publishing to PyPI.

I have:

  • added updated our PyPI to add our GitHub publishing workflow as a trusted publisher.
  • added a new deployment environment in GitHub called pypi-publishing for running the workflow; it limits the branch that it can run against and has some additional restrictions which we can tweak in the future.

This PR changes the publishing workflow in the following ways:

  • the single job has been split into 3 jobs
  • the build job is responsible for publishing the package itself; it has access only to the repository contents and it produces a build artifact
  • the asset job is new; it downloads the artifact and adds it as a release asset, that way our package is directly downloadable from the releases page (this is a nice-to-have)
  • the publish job downloads the artifact, and then publishes it to PyPI. It has no access to repository contents and it runs in the dedicated publish environment
  • the latter two jobs can run in parallel because they don't depend on each other, but they both depend on the build job completing first
  • poetry is no longer used to publish the artifact, in favor of using the official PyPI github action which directly supports the OIDC integration nicely
  • the credentials we have stored in the repository are not used anymore, and once we have a working implementation with OIDC, they will be deleted

Testing note

This workflow is triggered on release publishing, and as a result, it cannot be tested in this PR.

@briantist < 8000 a class="author Link--primary text-bold" data-hovercard-type="user" data-hovercard-url="/users/briantist/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/briantist">briantist added skip-changelog will not be shown in the auto-generated changelog maintenance General technical debt labels Jun 17, 2023
@briantist briantist requested a review from a team as a code owner June 17, 2023 19:05
@briantist briantist self-assigned this Jun 17, 2023
@briantist briantist mentioned this pull request Jun 17, 2023
Closed
@codecov
Copy link
codecov bot commented Jun 17, 2023
edited
Loading

Codecov Report

Merging #1002 (bc2471f) into main (13e4774) will increase coverage by 1.40%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1002      +/-   ##
==========================================
+ Coverage   82.04%   83.45%   +1.40%     
==========================================
  Files          65       65              
  Lines        3019     2985      -34     
==========================================
+ Hits         2477     2491      +14     
+ Misses        542      494      -48

see 9 files with indirect coverage changes

@briantist briantist force-pushed the publish/pypi-oidc branch from d274c70 to bc2471f Compare June 17, 2023 19:24
@briantist briantist merged commit ceceeee into hvac:main Jun 17, 2023
@briantist briantist mentioned this pull request Jun 17, 2023
Merged
@briantist briantist mentioned this pull request Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@briantist briantist

Labels
maintenance General technical debt skip-changelog will not be shown in the auto-generated changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@briantist
0