mirror of
https://gitcode.com/gh_mirrors/gh/gh-action-pypi-publish.git
synced 2026-07-08 20:30:50 +00:00
Compare commits
32 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c1b3402824 | |||
| c5d8ac5008 | |||
| ffa46275f9 | |||
| 9b8e7336db | |||
| 1bbe3c9926 | |||
| 37f50c210e | |||
| 9f0421c6c6 | |||
| c3fbd68c15 | |||
| 717ba43cfb | |||
| 4992a00fb2 | |||
| 977d067561 | |||
| 5d18baa42c | |||
| 0575dc8eab | |||
| 8682135dac | |||
| c83d37bdf0 | |||
| 777bfc4346 | |||
| ca30c7da98 | |||
| 06a2dd6685 | |||
| fc71be69fe | |||
| 77ee113713 | |||
| e5cc29fe08 | |||
| bea5cda687 | |||
| f334b3c277 | |||
| c89694fb92 | |||
| ed5a157a01 | |||
| 27b31702a0 | |||
| 9f41657646 | |||
| a5f9cf8db0 | |||
| 3f53700db1 | |||
| f91f98d65e | |||
| 4425980a33 | |||
| 54b39fb937 |
+5
-2
@@ -1,4 +1,4 @@
|
||||
FROM python:3.8-slim
|
||||
FROM python:3.9-slim
|
||||
|
||||
LABEL "maintainer" "Sviatoslav Sydorenko <wk+pypa@sydorenko.org.ua>"
|
||||
LABEL "repository" "https://github.com/pypa/gh-action-pypi-publish"
|
||||
@@ -7,11 +7,14 @@ LABEL "homepage" "https://github.com/pypa/gh-action-pypi-publish"
|
||||
ENV PYTHONDONTWRITEBYTECODE 1
|
||||
ENV PYTHONUNBUFFERED 1
|
||||
|
||||
RUN pip install --upgrade --no-cache-dir twine
|
||||
RUN \
|
||||
pip install --upgrade --no-cache-dir pip-with-requires-python && \
|
||||
pip install --upgrade --no-cache-dir --prefer-binary twine
|
||||
|
||||
WORKDIR /app
|
||||
COPY LICENSE.md .
|
||||
COPY twine-upload.sh .
|
||||
COPY print-hash.py .
|
||||
|
||||
RUN chmod +x twine-upload.sh
|
||||
ENTRYPOINT ["/app/twine-upload.sh"]
|
||||
|
||||
@@ -1,10 +1,20 @@
|
||||
[![SWUbanner]][SWUdocs]
|
||||
|
||||
# PyPI publish GitHub Action
|
||||
|
||||
This action allows you to upload your [Python distribution packages]
|
||||
in the `dist/` directory to PyPI.
|
||||
This text suggests a minimalistic usage overview. For more detailed
|
||||
walkthrough check out the [PyPA guide].
|
||||
|
||||
|
||||
## 🌇 `master` branch sunset ❗
|
||||
|
||||
The `master` branch version has been sunset. Please, change the GitHub
|
||||
Action version you use from `master` to `release/v1` or use an exact
|
||||
tag, or a full Git commit SHA.
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
To use the action add the following step to your workflow file (e.g.
|
||||
@@ -13,10 +23,10 @@ To use the action add the following step to your workflow file (e.g.
|
||||
|
||||
```yml
|
||||
- name: Publish a Python distribution to PyPI
|
||||
uses: pypa/gh-action-pypi-publish@master
|
||||
uses: pypa/gh-action-pypi-publish@release/v1
|
||||
with:
|
||||
user: __token__
|
||||
password: ${{ secrets.pypi_password }}
|
||||
password: ${{ secrets.PYPI_API_TOKEN }}
|
||||
```
|
||||
|
||||
> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
|
||||
@@ -38,16 +48,16 @@ So the full step would look like:
|
||||
```yml
|
||||
- name: Publish package
|
||||
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
|
||||
uses: pypa/gh-action-pypi-publish@master
|
||||
uses: pypa/gh-action-pypi-publish@release/v1
|
||||
with:
|
||||
user: __token__
|
||||
password: ${{ secrets.pypi_password }}
|
||||
password: ${{ secrets.PYPI_API_TOKEN }}
|
||||
```
|
||||
|
||||
The example above uses the new [API token][PyPI API token] feature of
|
||||
PyPI, which is recommended to restrict the access the action has.
|
||||
|
||||
The secret used in `${{ secrets.pypi_password }}` needs to be created on the
|
||||
The secret used in `${{ secrets.PYPI_API_TOKEN }}` needs to be created on the
|
||||
settings page of your project on GitHub. See [Creating & using secrets].
|
||||
|
||||
|
||||
@@ -57,6 +67,28 @@ This GitHub Action [has nothing to do with _building package
|
||||
distributions_]. Users are responsible for preparing dists for upload
|
||||
by putting them into the `dist/` folder prior to running this Action.
|
||||
|
||||
> **IMPORTANT**: Since this GitHub Action is docker-based, it can only
|
||||
> be used from within GNU/Linux based jobs in GitHub Actions CI/CD
|
||||
> workflows. This is by design and is unlikely to change due to a number
|
||||
> of considerations we rely on.
|
||||
>
|
||||
> This should not stop one from publishing platform-specific
|
||||
> distribution packages, though. It is strongly advised to separate jobs
|
||||
> for building the OS-specific wheels from the publish job. This allows
|
||||
> one to (1) test exactly the same artifacts that are about to be
|
||||
> uploaded to PyPI, (2) prevent parallel unsynchronized jobs from
|
||||
> publishing only part of the dists asynchronously (in case when part of
|
||||
> the jobs fail and others succeed ending up with an incomplete release
|
||||
> on PyPI) and (3) make an atomic upload to PyPI (when part of the dists
|
||||
> appear on PyPI, installers like pip will use that version for the
|
||||
> dependency resolution but this may cause some environments to use
|
||||
> sdists while the wheel for their runtime is not yet available).
|
||||
>
|
||||
> To implement this sort of orchestration, please use
|
||||
> `actions/upload-artifact` and `actions/download-artifact` actions for
|
||||
> sharing the built dists across stages and jobs. Then, use the `needs`
|
||||
> setting to order the build, test and publish stages.
|
||||
|
||||
|
||||
## Advanced release management
|
||||
|
||||
@@ -78,10 +110,10 @@ You'll need to create another token for a separate host and then
|
||||
The action invocation in this case would look like:
|
||||
```yml
|
||||
- name: Publish package to TestPyPI
|
||||
uses: pypa/gh-action-pypi-publish@master
|
||||
uses: pypa/gh-action-pypi-publish@release/v1
|
||||
with:
|
||||
user: __token__
|
||||
password: ${{ secrets.test_pypi_password }}
|
||||
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
|
||||
repository_url: https://test.pypi.org/legacy/
|
||||
```
|
||||
|
||||
@@ -93,10 +125,10 @@ would now look like:
|
||||
|
||||
```yml
|
||||
- name: Publish package to PyPI
|
||||
uses: pypa/gh-action-pypi-publish@master
|
||||
uses: pypa/gh-action-pypi-publish@release/v1
|
||||
with:
|
||||
user: __token__
|
||||
password: ${{ secrets.pypi_password }}
|
||||
password: ${{ secrets.PYPI_API_TOKEN }}
|
||||
packages_dir: custom-dir/
|
||||
```
|
||||
|
||||
@@ -139,6 +171,16 @@ Sometimes, `twine upload` can fail and to debug use the `verbose` setting as fol
|
||||
verbose: true
|
||||
```
|
||||
|
||||
### Showing hash values of files to be uploaded
|
||||
|
||||
You may want to verify whether the files on PyPI were automatically uploaded by CI script.
|
||||
It will show SHA256, MD5, BLAKE2-256 values of files to be uploaded.
|
||||
|
||||
```yml
|
||||
with:
|
||||
print_hash: true
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
The Dockerfile and associated scripts and documentation in this project
|
||||
@@ -154,3 +196,7 @@ https://packaging.python.org/guides/publishing-package-distribution-releases-usi
|
||||
[PyPI API token]: https://pypi.org/help/#apitoken
|
||||
[Python distribution packages]:
|
||||
https://packaging.python.org/glossary/#term-distribution-package
|
||||
[SWUbanner]:
|
||||
https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct-single.svg
|
||||
[SWUdocs]:
|
||||
https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md
|
||||
|
||||
+157
@@ -4,30 +4,186 @@ description: Upload Python distribution packages to PyPI
|
||||
inputs:
|
||||
user:
|
||||
description: PyPI user
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: __token__
|
||||
password:
|
||||
description: Password for your PyPI user or an access token
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: true
|
||||
repository_url:
|
||||
description: The repository URL to use
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
packages_dir:
|
||||
description: The target directory for distribution
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: dist
|
||||
verify_metadata:
|
||||
description: Check metadata before uploading
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: true
|
||||
skip_existing:
|
||||
description: >-
|
||||
Do not fail if a Python package distribution
|
||||
exists in the target package index
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: false
|
||||
verbose:
|
||||
description: Show verbose output.
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: false
|
||||
print_hash:
|
||||
description: Show hash values of files to be uploaded
|
||||
deprecationMessage: >
|
||||
UNSUPPORTED GITHUB ACTION VERSION
|
||||
|
||||
|
||||
You are using `pypa/gh-action-pypi-publish@master`.
|
||||
The `master` branch of this project has been sunset and will not
|
||||
receive any updates, not even security bug fixes. Please, make
|
||||
sure to use a supported version. If you want to pin to v1 major
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you
|
||||
feel adventurous, you may opt to use use
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more
|
||||
general recommendation is to pin to exact tags or commit SHAs.
|
||||
|
||||
|
||||
Please also consider migrating your setup to use secretless publishing:
|
||||
https://github.com/marketplace/actions/pypi-publish#trusted-publishing
|
||||
|
||||
|
||||
https://stand-with-ukraine.pp.ua
|
||||
required: false
|
||||
default: false
|
||||
branding:
|
||||
@@ -44,3 +200,4 @@ runs:
|
||||
- ${{ inputs.verify_metadata }}
|
||||
- ${{ inputs.skip_existing }}
|
||||
- ${{ inputs.verbose }}
|
||||
- ${{ inputs.print_hash }}
|
||||
|
||||
Executable
+26
@@ -0,0 +1,26 @@
|
||||
import hashlib
|
||||
import pathlib
|
||||
import sys
|
||||
|
||||
packages_dir = pathlib.Path(sys.argv[1]).resolve().absolute()
|
||||
|
||||
print("Showing hash values of files to be uploaded:")
|
||||
|
||||
for file_object in packages_dir.iterdir():
|
||||
sha256 = hashlib.sha256()
|
||||
md5 = hashlib.md5()
|
||||
blake2_256 = hashlib.blake2b(digest_size=256 // 8)
|
||||
|
||||
print(file_object)
|
||||
print("")
|
||||
|
||||
content = file_object.read_bytes()
|
||||
|
||||
sha256.update(content)
|
||||
md5.update(content)
|
||||
blake2_256.update(content)
|
||||
|
||||
print(f"SHA256: {sha256.hexdigest()}")
|
||||
print(f"MD5: {md5.hexdigest()}")
|
||||
print(f"BLAKE2-256: {blake2_256.hexdigest()}")
|
||||
print("")
|
||||
+42
-1
@@ -2,6 +2,43 @@
|
||||
set -Eeuo pipefail
|
||||
|
||||
|
||||
echo \
|
||||
'# UNSUPPORTED GITHUB ACTION VERSION' \
|
||||
'\n\n' \
|
||||
You are using `pypa/gh-action-pypi-publish@master`. \
|
||||
The `master` branch of this project has been sunset and will not \
|
||||
receive any updates, not even security bug fixes. Please, make \
|
||||
sure to use a supported version. If you want to pin to v1 major \
|
||||
version, use `pypa/gh-action-pypi-publish@release/v1`. If you \
|
||||
feel adventurous, you may opt to use use \
|
||||
`pypa/gh-action-pypi-publish@unstable/v1` instead. A more \
|
||||
general recommendation is to pin to exact tags or commit shas. \
|
||||
'\n\n' \
|
||||
'\n\n' \
|
||||
'### Oh, and while you are here — #StandWithUkraine' \
|
||||
'\n\n' \
|
||||
'[![SWUbanner]][SWUdocs]' \
|
||||
'\n\n' \
|
||||
'[SWUbanner]:' \
|
||||
'https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct-single.svg' \
|
||||
'\n\n' \
|
||||
'[SWUdocs]:' \
|
||||
'https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md' \
|
||||
>> "${GITHUB_STEP_SUMMARY}"
|
||||
echo \
|
||||
::warning file='# >>' PyPA publish to PyPI GHA'%3A' \
|
||||
UNSUPPORTED GITHUB ACTION VERSION \
|
||||
'<< ':: \
|
||||
You are using '"pypa/gh-action-pypi-publish@master"'. \
|
||||
The '"master"' branch of this project has been sunset and will not \
|
||||
receive any updates, not even security bug fixes. Please, make \
|
||||
sure to use a supported version. If you want to pin to v1 major \
|
||||
version, use '"pypa/gh-action-pypi-publish@release/v1"'. If you \
|
||||
feel adventurous, you may opt to use use \
|
||||
'"pypa/gh-action-pypi-publish@unstable/v1"' instead. A more \
|
||||
general recommendation is to pin to exact tags or commit shas.
|
||||
|
||||
|
||||
if [[
|
||||
"$INPUT_USER" == "__token__" &&
|
||||
! "$INPUT_PASSWORD" =~ ^pypi-
|
||||
@@ -40,10 +77,14 @@ if [[ ${INPUT_SKIP_EXISTING,,} != "false" ]] ; then
|
||||
TWINE_EXTRA_ARGS=--skip-existing
|
||||
fi
|
||||
|
||||
if [[ ${VERBOSE,,} != "false" ]] ; then
|
||||
if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then
|
||||
TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"
|
||||
fi
|
||||
|
||||
if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; then
|
||||
python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
|
||||
fi
|
||||
|
||||
TWINE_USERNAME="$INPUT_USER" \
|
||||
TWINE_PASSWORD="$INPUT_PASSWORD" \
|
||||
TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
|
||||
|
||||
Reference in New Issue
Block a user