/deploy-pypi

Securely build and upload Python distributions to PyPI

OtherNOASSERTION

GitHub Action: PyPI Deployment

Test

Securely build and upload Python distributions to PyPI.

Example

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
      - uses: casperdcl/deploy-pypi@v2
        with:
          build: --outdir dist .
          # only upload if a tag is pushed (otherwise just build & check)
          upload: ${{ github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') }}

Why

PyPI Deployment:

  • Supports building
    • supports customisable build requirements
    • supports customisable build command
    • supports PEP517 projects lacking a setup.py file
  • Supports PEP740 attestations
  • Supports GPG signing
  • Each stage is optional (build, check, sign and upload)
  • Uses a blazing fast container-free GitHub action
  • Outputs names of files for upload (for convenience in subsequent steps)
  • Has the entirety of the code in a single file, making it very easy to review

The main alternative GitHub Action pypi-publish currently does not offer the benefits above.

Other features (supported by both) include:

  • Supports checking built files
  • Supports skipping existing uploads
  • Supports OIDC PyPI trusted publishing

Security

If you are distrust me, use a commit SHA of a version you've manually reviewed (e.g. uses: casperdcl/deploy-pypi@30558fb88986c7851adcb25ed104b3a3beba29f3)

Inputs

You likely should specify exactly one of the following: setup, build or pip.

inputs:
  user:
    description: PyPI username
    default: __token__
  password:
    description: PyPI password or API token
  registry_domain:
    description: PyPI trusted publisher URL
    default: https://upload.pypi.org
  requirements:
    description: Packages to `pip install` before building
    default: twine wheel build
  setup:
    description: '`setup.py` command to run ("true" is a shortcut for "clean sdist -d <dist_dir> bdist_wheel -d <dist_dir>")'
    default: false
  build:
    description: '`python -m build` command to run ("true" is a shortcut for "-o <dist_dir>")'
    default: false
  pip:
    description: '`pip` command to run ("true" is a shortcut for "wheel -w <dist_dir> --no-deps .")'
    default: false
  check:
    description: Whether to run basic checks on the built files
    default: true
  upload:
    description: Whether to upload
    default: true
  dist_dir:
    description: Directory containing distributions
    default: dist
  url:
    description: Destination repository (package index) URL
  attestations:
    description: 'Use PEP 740 attestations if `upload`ing to a trusted publisher `registry_domain`'
    default: true
  gpg_key:
    description: GPG key to import for signing
  skip_existing:
    description: Continue uploading files if one already exists
    default: false
outputs:
  whl:
    description: Basename of *.whl for upload
  targz:
    description: Basename of *.tar.gz for upload
  whl_asc:
    description: Basename of *.whl.asc for upload (requires <gpg_key>)
  targz_asc:
    description: Basename of *.tar.gz.asc for upload (requires <gpg_key>)