From 2b62a7ae008abfbe25df62ce40f4dc72af1b9d6a Mon Sep 17 00:00:00 2001
From: Max Rakitin <mrakitin@bnl.gov>
Date: Tue, 3 Dec 2024 19:03:25 -0500
Subject: [PATCH 1/2] CI: update release process

---
 .github/workflows/code.yml | 50 ++++++++++++++++++++------------------
 .github/workflows/docs.yml |  8 +++---
 .gitignore                 |  1 +
 3 files changed, 31 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index 6b6fd5cce..97ad26205 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -13,7 +13,7 @@ jobs:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
     runs-on: "ubuntu-latest"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Lint
         run: pip install --user .[dev] && tox -e pre-commit
@@ -22,7 +22,7 @@ jobs:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
     runs-on: "ubuntu-latest"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # So we get history for version numbers
 
@@ -32,7 +32,7 @@ jobs:
         run: SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) pipx run build --sdist --wheel
 
       - name: Upload Wheel and Sdist as artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: dist
           path: dist
@@ -56,12 +56,12 @@ jobs:
       TEST_CL: pyepics
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # So we get history for version number
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -89,25 +89,27 @@ jobs:
   release:
     needs: [build]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     # upload to PyPI and make a release on every tag
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    # if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     steps:
-      - uses: actions/download-artifact@v4.1.7
-
-      - name: Github Release
-        # We pin to the SHA, not the tag, for security reasons.
-        # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+      - uses: actions/download-artifact@v4
         with:
-          files: dist/*
-          generate_release_notes: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          # The PYPI_PASSWORD must be a pypi token with the "pypi-" prefix with sufficient permissions to upload this package
-          # https://pypi.org/help/#apitoken
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-        run: pipx run twine upload dist/*
+          name: dist
+          path: dist
+
+      # - name: Github Release
+      #   # We pin to the SHA, not the tag, for security reasons.
+      #   # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
+      #   uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+      #   with:
+      #     files: dist/*
+      #     generate_release_notes: true
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # - name: Publish to PyPI
+      #   uses: pypa/gh-action-pypi-publish@release/v1
+      #   with:
+      #     packages-dir: ./dist/
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 63c571d2a..84b3b60a5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -16,7 +16,7 @@ jobs:
       TOX_DIRECT: 1
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # So we get history for version numbers
 
@@ -24,7 +24,7 @@ jobs:
         run: sudo apt-get install graphviz
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -35,7 +35,7 @@ jobs:
         run: tox -e docs
 
       - name: Upload built docs as artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: docs
           path: build
@@ -44,7 +44,7 @@ jobs:
         run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
 
       - name: Deploy documentation to blueskyproject.io.
-        if: github.repository_owner == 'bluesky' && github.ref_name == 'master'
+        if: github.repository_owner == 'bluesky' && github.ref_name == 'main'
         # We pin to the SHA, not the tag, for security reasons.
         # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
         uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3
diff --git a/.gitignore b/.gitignore
index 43b736ba8..4fea01d5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ var/
 *.egg-info/
 .installed.cfg
 *.egg
+.eggs/
 
 # PyInstaller
 #  Usually these files are written by a python script from a template

From c936ab632298edf403e1ce99a030bf6fdb25a480 Mon Sep 17 00:00:00 2001
From: Max Rakitin <mrakitin@bnl.gov>
Date: Tue, 3 Dec 2024 19:07:28 -0500
Subject: [PATCH 2/2] CI: uncomment the release steps block (for GH and PyPI)

---
 .github/workflows/code.yml | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index 97ad26205..7cb75ff68 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -92,24 +92,24 @@ jobs:
     permissions:
       id-token: write
     # upload to PyPI and make a release on every tag
-    # if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     steps:
       - uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist
 
-      # - name: Github Release
-      #   # We pin to the SHA, not the tag, for security reasons.
-      #   # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-      #   uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
-      #   with:
-      #     files: dist/*
-      #     generate_release_notes: true
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      # - name: Publish to PyPI
-      #   uses: pypa/gh-action-pypi-publish@release/v1
-      #   with:
-      #     packages-dir: ./dist/
+      - name: Github Release
+        # We pin to the SHA, not the tag, for security reasons.
+        # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+        with:
+          files: dist/*
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: ./dist/