Add GitHub Actions workflow for Python package upload #120
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a GitHub Actions workflow to automate the publishing of Python packages to PyPI when a new release is created. The workflow follows the trusted publishing pattern recommended by PyPI, using OIDC authentication instead of API tokens.
Key Changes
- Adds a new workflow file that triggers on GitHub release publication
- Implements a two-job workflow: one for building distributions and another for publishing to PyPI
- Uses GitHub's trusted publishing mechanism with id-token permissions for secure PyPI uploads
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| path: dist/ | ||
|
|
||
| - name: Publish release distributions to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 |
There was a problem hiding this comment.
The action reference 'pypa/gh-action-pypi-publish@release/v1' uses a branch-based tag 'release/v1' which is not recommended for production workflows. Branch-based tags can change unexpectedly, leading to potential security risks and unpredictable behavior. Consider using a specific version tag or commit SHA instead, such as 'pypa/gh-action-pypi-publish@v1.10.3' or the full commit SHA for better security and reproducibility.
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| uses: pypa/gh-action-pypi-publish@v1.10.3 |
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | ||
| # url: https://pypi.org/p/YOURPROJECT | ||
| # | ||
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | ||
| # ALTERNATIVE: exactly, uncomment the following line instead: | ||
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} |
There was a problem hiding this comment.
The comment references "YOURPROJECT" as a placeholder that should be replaced with the actual project name. Since this workflow is being added to a specific repository, these placeholder comments should either be removed or the actual project name should be filled in to provide proper deployment status URLs.
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | |
| # url: https://pypi.org/p/YOURPROJECT | |
| # | |
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | |
| # ALTERNATIVE: exactly, uncomment the following line instead: | |
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} | |
| # OPTIONAL: You can set the `url` field to your PyPI project page to surface it in deployment status: | |
| # url: https://pypi.org/project/example-project | |
| # | |
| # If your GitHub Release name exactly matches your PyPI project version string, you can use: | |
| # url: https://pypi.org/project/example-project/${{ github.event.release.name }} |
2 participants
Summary
Changes
Closes:
Task list