Publishing/Releasing Feedback Fixes #28
Conversation
f-allian
commented
Sep 26, 2024
f-allian
commented
- Closes issue Feedback : Section 6 - Publishing Python Packages #21
Thank you!Thank you for your pull request 😃 🤖 This automated message can help you check the rendered files in your submission for clarity. If you have any questions, please feel free to open an issue in {sandpaper}. If you have files that automatically render output (e.g. R Markdown), then you should check for the following:
Rendered Changes🔍 Inspect the changes: https://github.com/christopher-wild/FAIR4RS-Packaging/compare/md-outputs..md-outputs-PR-28 The following changes were observed in the rendered markdown documents: What does this mean?If you have source files that require output and figures to be generated (e.g. R Markdown), then it is important to make sure the generated figures and output are reproducible. This output provides a way for you to inspect the output in a diff-friendly manner so that it's easy to see the changes that occur due to new software versions or randomisation. ⏱️ Updated at 2024-10-04 10:30:59 +0000 |
| We can start by configuring a GitHub Actions workflow (e.g., publish.yml) triggered specifically on tag pushes as demonstrated in the previous section (`on: push: tags: - 'v*'`). Within the workflow, we can define jobs to build the package using tools like `build` (`python -m build`) to create both `sdist` and the `wheel` distributions. Following this, we securely manage our PyPI credentials by storing them as GitHub Secrets (`secrets.PYPI_USERNAME`, `secrets.PYPI_PASSWORD`) and only access them securely within the workflow environment. | ||
| Before writing a workflow file, we need to make sure that we've created a PyPI API token to authenticate the Action. | ||
|
|
||
| Next, you should add this API token as a repository secret under `Settings > Secrets > Actions`, called something like `PYPI_TOKEN`. You can follow the same instructions to generate a similar token for TestPyPI, too. |
There was a problem hiding this comment.
At some point in the last couple of years PyPI have swapped from API tokens to trusted publishers as the recommended way of authenticating.
https://pypi.org/help/#apitoken
If you are publishing to PyPI from a CI provider that supports [Trusted Publishing](https://pypi.org/help/#trusted-publishers), we strongly recommend using Trusted Publishing instead.
I haven't looked into the advantages / disadvantages yet and I'm not sure if it is worth swapping in this lesson
There was a problem hiding this comment.
@christopher-wild Thanks that's really useful, I wasn't aware of this! I've added a callout for awareness, but have mentioned it's not in the scope of this current episode.
