Compare commits

...

32 Commits

Author SHA1 Message Date
Hugo van Kemenade c1b3402824 Fix a deprecation msg typo in the ancient branch: "migrading"->"migrating" (#212) 2024-02-27 04:59:28 +01:00
Sviatoslav Sydorenko c5d8ac5008 Add deprecationMessage to all inputs @ master 2023-07-13 17:06:59 +02:00
Sviatoslav Sydorenko ffa46275f9 Render a depecation message in job summary. 2023-07-13 17:06:59 +02:00
Sviatoslav Sydorenko 9b8e7336db 📝Inform about deprecation of master branch
This patch suggests the users to use `release/v1`.

Resolves #83
2022-07-25 17:29:21 +02:00
Sviatoslav Sydorenko 1bbe3c9926 📝 Announce deprecation of the master branch
From now on, the default repository branch is `unstable/v1`.

Resolves #83
2022-07-25 17:26:15 +02:00
Sviatoslav Sydorenko 37f50c210e Merge PR #91 2022-07-25 17:03:25 +02:00
Sviatoslav Sydorenko 9f0421c6c6 Add #StandWithUkraine banner to README
This patch highlights the original developer's identity while
spreading awareness about the circumstances[1] affecting the lead
contributors. Since it affects the maintenance of this project and the
users must be well-informed of why this repository doesn't get as much
attention as it deserves.

[1]: https://github.com/vshymanskyy/StandWithUkraine
2022-07-25 16:42:56 +02:00
meowmeowcat c3fbd68c15 Remove quotes
Fix #90
2022-01-13 12:50:40 +08:00
Sviatoslav Sydorenko 717ba43cfb Trim the trailing whitespaces in print-hash.py 2022-01-09 12:53:19 +01:00
Sviatoslav Sydorenko 4992a00fb2 Merge pull request #87 from meowmeowmeowcat/show-hash-values
This patch calculates SHA256, MD5, and BLAKE2-256 hash digests
of every file in the packages directory and prints out their HEX
representations to the log.

Resolves https://github.com/pypa/gh-action-pypi-publish/issues/62
2022-01-09 12:50:56 +01:00
meowmeowcat 977d067561 Fix a bug 2022-01-09 15:18:25 +08:00
Sviatoslav Sydorenko 5d18baa42c Drop unnecessary file_iterable var 2022-01-09 00:25:56 +01:00
Sviatoslav Sydorenko 0575dc8eab Refactor the hash helper script to use pathlib and CLI args 2022-01-09 00:24:29 +01:00
Sviatoslav Sydorenko 8682135dac Correct the if-clause for printing the hashes 2022-01-09 00:05:27 +01:00
meowmeowcat c83d37bdf0 Introduce print_hash in README 2022-01-08 12:41:13 +08:00
meowmeowcat 777bfc4346 Fix the message 2022-01-08 12:26:32 +08:00
meowmeowcat ca30c7da98 Show a message before printing hash values of files 2022-01-08 12:24:12 +08:00
meowmeowcat 06a2dd6685 Fix bug 2022-01-08 12:21:09 +08:00
meowmeowcat fc71be69fe Add print-hash.py to Dockerfile 2022-01-08 12:14:48 +08:00
meowmeowcat 77ee113713 Move out the Python script from the shell script 2022-01-08 12:12:15 +08:00
meowmeowcat e5cc29fe08 Show hash values of files uploaded 2022-01-08 00:24:27 +08:00
Sviatoslav Sydorenko bea5cda687 Fix a typo in README: s/wheels/wheel/ 2021-02-19 20:28:01 +01:00
Sviatoslav Sydorenko f334b3c277 Tell to use artifacts for platform wheels @ README
Per suggestion @
https://github.com/pypa/gh-action-pypi-publish/discussions/57#discussioncomment-365097
2021-02-19 20:22:31 +01:00
Sviatoslav Sydorenko c89694fb92 Merge PR #55 2021-02-19 20:08:03 +01:00
Sviatoslav Sydorenko ed5a157a01 Add an empty line after the title @ README 2021-02-19 20:04:22 +01:00
Sviatoslav Sydorenko 27b31702a0 Use Python 3.9 in runtime 2021-02-08 18:13:46 +01:00
Sviatoslav Sydorenko 9f41657646 Use wheels over newer sdists in pip install twine
Fixes #50
Fixes #51
2021-02-08 18:13:17 +01:00
Sviatoslav Sydorenko a5f9cf8db0 Upgrade pip in the docker container
Fixes #56
2021-02-08 18:11:53 +01:00
P. L. Lim 3f53700db1 DOC: Do not use master in examples
to be consistent with the "pro tip"
2021-01-22 09:36:17 -05:00
Sviatoslav Sydorenko f91f98d65e Merge PR #52 by @scop
This change adjusts the example secret names in README to be uppercase
and renames them to communicate better that it's supposed to be a PyPI
API token.
2020-12-13 23:44:03 +01:00
Ville Skyttä 4425980a33 Use PYPI_API_TOKEN instead of pypi_password as secret name in examples
GitHub secrets are customarily spelled in uppercase, and in PyPI terms
we're dealing with API tokens here, not passwords.
2020-12-12 18:08:55 +02:00
Sviatoslav Sydorenko 54b39fb937 🚑 Fix referring to $INPUT_VERBOSE var
Resolves #41
2020-09-26 00:42:02 +02:00
5 changed files with 285 additions and 12 deletions
+5 -2
View File
@@ -1,4 +1,4 @@
FROM python:3.8-slim
FROM python:3.9-slim
LABEL "maintainer" "Sviatoslav Sydorenko <wk+pypa@sydorenko.org.ua>"
LABEL "repository" "https://github.com/pypa/gh-action-pypi-publish"
@@ -7,11 +7,14 @@ LABEL "homepage" "https://github.com/pypa/gh-action-pypi-publish"
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
RUN pip install --upgrade --no-cache-dir twine
RUN \
pip install --upgrade --no-cache-dir pip-with-requires-python && \
pip install --upgrade --no-cache-dir --prefer-binary twine
WORKDIR /app
COPY LICENSE.md .
COPY twine-upload.sh .
COPY print-hash.py .
RUN chmod +x twine-upload.sh
ENTRYPOINT ["/app/twine-upload.sh"]
+55 -9
View File
@@ -1,10 +1,20 @@
[![SWUbanner]][SWUdocs]
# PyPI publish GitHub Action
This action allows you to upload your [Python distribution packages]
in the `dist/` directory to PyPI.
This text suggests a minimalistic usage overview. For more detailed
walkthrough check out the [PyPA guide].
## 🌇 `master` branch sunset ❗
The `master` branch version has been sunset. Please, change the GitHub
Action version you use from `master` to `release/v1` or use an exact
tag, or a full Git commit SHA.
## Usage
To use the action add the following step to your workflow file (e.g.
@@ -13,10 +23,10 @@ To use the action add the following step to your workflow file (e.g.
```yml
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@master
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.pypi_password }}
password: ${{ secrets.PYPI_API_TOKEN }}
```
> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
@@ -38,16 +48,16 @@ So the full step would look like:
```yml
- name: Publish package
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@master
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.pypi_password }}
password: ${{ secrets.PYPI_API_TOKEN }}
```
The example above uses the new [API token][PyPI API token] feature of
PyPI, which is recommended to restrict the access the action has.
The secret used in `${{ secrets.pypi_password }}` needs to be created on the
The secret used in `${{ secrets.PYPI_API_TOKEN }}` needs to be created on the
settings page of your project on GitHub. See [Creating & using secrets].
@@ -57,6 +67,28 @@ This GitHub Action [has nothing to do with _building package
distributions_]. Users are responsible for preparing dists for upload
by putting them into the `dist/` folder prior to running this Action.
> **IMPORTANT**: Since this GitHub Action is docker-based, it can only
> be used from within GNU/Linux based jobs in GitHub Actions CI/CD
> workflows. This is by design and is unlikely to change due to a number
> of considerations we rely on.
>
> This should not stop one from publishing platform-specific
> distribution packages, though. It is strongly advised to separate jobs
> for building the OS-specific wheels from the publish job. This allows
> one to (1) test exactly the same artifacts that are about to be
> uploaded to PyPI, (2) prevent parallel unsynchronized jobs from
> publishing only part of the dists asynchronously (in case when part of
> the jobs fail and others succeed ending up with an incomplete release
> on PyPI) and (3) make an atomic upload to PyPI (when part of the dists
> appear on PyPI, installers like pip will use that version for the
> dependency resolution but this may cause some environments to use
> sdists while the wheel for their runtime is not yet available).
>
> To implement this sort of orchestration, please use
> `actions/upload-artifact` and `actions/download-artifact` actions for
> sharing the built dists across stages and jobs. Then, use the `needs`
> setting to order the build, test and publish stages.
## Advanced release management
@@ -78,10 +110,10 @@ You'll need to create another token for a separate host and then
The action invocation in this case would look like:
```yml
- name: Publish package to TestPyPI
uses: pypa/gh-action-pypi-publish@master
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.test_pypi_password }}
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
repository_url: https://test.pypi.org/legacy/
```
@@ -93,10 +125,10 @@ would now look like:
```yml
- name: Publish package to PyPI
uses: pypa/gh-action-pypi-publish@master
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.pypi_password }}
password: ${{ secrets.PYPI_API_TOKEN }}
packages_dir: custom-dir/
```
@@ -139,6 +171,16 @@ Sometimes, `twine upload` can fail and to debug use the `verbose` setting as fol
verbose: true
```
### Showing hash values of files to be uploaded
You may want to verify whether the files on PyPI were automatically uploaded by CI script.
It will show SHA256, MD5, BLAKE2-256 values of files to be uploaded.
```yml
with:
print_hash: true
```
## License
The Dockerfile and associated scripts and documentation in this project
@@ -154,3 +196,7 @@ https://packaging.python.org/guides/publishing-package-distribution-releases-usi
[PyPI API token]: https://pypi.org/help/#apitoken
[Python distribution packages]:
https://packaging.python.org/glossary/#term-distribution-package
[SWUbanner]:
https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct-single.svg
[SWUdocs]:
https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md
+157
View File
@@ -4,30 +4,186 @@ description: Upload Python distribution packages to PyPI
inputs:
user:
description: PyPI user
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: __token__
password:
description: Password for your PyPI user or an access token
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: true
repository_url:
description: The repository URL to use
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
packages_dir:
description: The target directory for distribution
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: dist
verify_metadata:
description: Check metadata before uploading
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: true
skip_existing:
description: >-
Do not fail if a Python package distribution
exists in the target package index
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: false
verbose:
description: Show verbose output.
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: false
print_hash:
description: Show hash values of files to be uploaded
deprecationMessage: >
UNSUPPORTED GITHUB ACTION VERSION
You are using `pypa/gh-action-pypi-publish@master`.
The `master` branch of this project has been sunset and will not
receive any updates, not even security bug fixes. Please, make
sure to use a supported version. If you want to pin to v1 major
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
feel adventurous, you may opt to use use
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
general recommendation is to pin to exact tags or commit SHAs.
Please also consider migrating your setup to use secretless publishing:
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
https://stand-with-ukraine.pp.ua
required: false
default: false
branding:
@@ -44,3 +200,4 @@ runs:
- ${{ inputs.verify_metadata }}
- ${{ inputs.skip_existing }}
- ${{ inputs.verbose }}
- ${{ inputs.print_hash }}
Executable
+26
View File
@@ -0,0 +1,26 @@
import hashlib
import pathlib
import sys
packages_dir = pathlib.Path(sys.argv[1]).resolve().absolute()
print("Showing hash values of files to be uploaded:")
for file_object in packages_dir.iterdir():
sha256 = hashlib.sha256()
md5 = hashlib.md5()
blake2_256 = hashlib.blake2b(digest_size=256 // 8)
print(file_object)
print("")
content = file_object.read_bytes()
sha256.update(content)
md5.update(content)
blake2_256.update(content)
print(f"SHA256: {sha256.hexdigest()}")
print(f"MD5: {md5.hexdigest()}")
print(f"BLAKE2-256: {blake2_256.hexdigest()}")
print("")
+42 -1
View File
@@ -2,6 +2,43 @@
set -Eeuo pipefail
echo \
'# UNSUPPORTED GITHUB ACTION VERSION' \
'\n\n' \
You are using `pypa/gh-action-pypi-publish@master`. \
The `master` branch of this project has been sunset and will not \
receive any updates, not even security bug fixes. Please, make \
sure to use a supported version. If you want to pin to v1 major \
version, use `pypa/gh-action-pypi-publish@release/v1`. If you \
feel adventurous, you may opt to use use \
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more \
general recommendation is to pin to exact tags or commit shas. \
'\n\n' \
'\n\n' \
'### Oh, and while you are here — #StandWithUkraine' \
'\n\n' \
'[![SWUbanner]][SWUdocs]' \
'\n\n' \
'[SWUbanner]:' \
'https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct-single.svg' \
'\n\n' \
'[SWUdocs]:' \
'https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md' \
>> "${GITHUB_STEP_SUMMARY}"
echo \
::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
UNSUPPORTED GITHUB ACTION VERSION \
'<< ':: \
You are using '"pypa/gh-action-pypi-publish@master"'. \
The '"master"' branch of this project has been sunset and will not \
receive any updates, not even security bug fixes. Please, make \
sure to use a supported version. If you want to pin to v1 major \
version, use '"pypa/gh-action-pypi-publish@release/v1"'. If you \
feel adventurous, you may opt to use use \
'"pypa/gh-action-pypi-publish@unstable/v1"' instead. A more \
general recommendation is to pin to exact tags or commit shas.
if [[
"$INPUT_USER" == "__token__" &&
! "$INPUT_PASSWORD" =~ ^pypi-
@@ -40,10 +77,14 @@ if [[ ${INPUT_SKIP_EXISTING,,} != "false" ]] ; then
TWINE_EXTRA_ARGS=--skip-existing
fi
if [[ ${VERBOSE,,} != "false" ]] ; then
if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then
TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"
fi
if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; then
python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
fi
TWINE_USERNAME="$INPUT_USER" \
TWINE_PASSWORD="$INPUT_PASSWORD" \
TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \