Publish blurb to PyPI using Trusted Publishers
hugovk opened this issue ยท 24 comments
The short story
It would be nice to automate releases.
Long version
Similar to cherry_picker (python/cherry-picker#94), let's set up automated deploys to PyPI.
We'll need to pick a tag name format, so far we only have cherry-picker-vX.Y.Z in this repo: https://github.com/python/core-workflow/tags. Shall we use blurb-vX.Y.Z here?
TODO
- Move blurb to own repo python/core-workflow#329
- Decide on tag name
- Reserve blurb on https://test.pypi.org/project/blurb/
- Add other people to https://test.pypi.org/project/blurb/ to improve bus factor - who else shall I add there?
- Create release workflow: python/blurb#14
- Set up Trusted Publisher on https://test.pypi.org/project/blurb/
- Set up Trusted Publisher on https://pypi.org/project/blurb/
Thanks for blurb!
I would add "move blurb to its own repo" at the top of the checklist, otherwise sounds good to me.
Added!
Once in its own repo, we don't need to worry about tag collisions and can use a more standard X.Y.Z or vX.Y.Z.
blurb is now in its own repo ๐
Once in its own repo, we don't need to worry about tag collisions and can use a more standard
X.Y.ZorvX.Y.Z.
No strong preference from me, some prefer vX.Y.Z because it allows matching with a v* wildcard. We also X.Y.Z for branches and vX.Y.Z for tags in https://github.com/python/cpython, so "copy CPython" is good enough for me: let's use vX.Y.Z.
I've set up the Trusted Publisher for TestPyPI at https://test.pypi.org/manage/project/blurb/settings/publishing/
Here's a PR to add the release workflow: python/blurb#14. We can merge this before setting it up on production PyPI, it'll verify the TestPyPI setup.
Then we need to set up production PyPI before doing a proper release.
@hugovk I suggest using a GitHub Environment called testpypi for the TestPyPI uploads and pypi for the regular PyPI. This is what I use in the guides and IRL.
I merged #14 and it successfully deployed in https://github.com/python/blurb/actions/runs/8661563398/job/23751747417 to https://test.pypi.org/project/blurb/0.1.dev64/ โ
[ ] Add other people to test.pypi.org/project/blurb to improve bus factor - who else shall I add there?
@ambv Can I add you? Do you have a Test PyPI account?
[ ] Set up Trusted Publisher on pypi.org/project/blurb
I see Brett and Larry listed at https://pypi.org/project/blurb/
@brettcannon or @larryhastings:
Please could you either set up Trusted Publishers for blurb here using the same settings as #4 (comment)
OR add @ambv and I'll ask him to do it?
Thanks!
I'm happy to help! I'm ambvtest on test.pypi.org.
Thanks, invited!
Accepted!
Please could you either set up Trusted Publishers for blurb here using the same settings as #4 (comment)
Correction: the settings should be almost the same. The Environment name field must be pypi per 4bcc5b1. In case of a mismatch, PyPI will reject uploads.
@brettcannon When you get a moment, please could you either set up Trusted Publishers for blurb here using the same settings as #4 (comment)?
Or add @ambv or me to the PyPI project and we can do it?
Thank you!
@hugovk I unfortunately can't as I'm not an admin on the project. @larryhastings will need to add someone to make the changes.
I don't think I'm an admin on this project either.
@larryhastings @brettcannon only you two are listed on PyPI as maintainers. This means one of you must be an owner. Unless PyPI itself is broken somehow.
It's entirely possible I'm being dumb. But I'm logged in to Github as myself, and I don't see the "Settings" tab along the top for this repository. I thought that meant I was just a contributor, not a maintainer. If I'm wrong about that, how can I determine my maintainer status on this project?
This is about PyPI not GitHub:
- Log in at https://pypi.org/account/login/
- Go to https://pypi.org/manage/project/blurb/collaboration/
- There you can see who has what access on PyPI, and add more people. @ambv's PyPI username is
ambvand mine ishugovk.
Okay, I understand. And yes Brett and I are the two maintainers of blurb on PyPI.
I'm not allowed to change anything on blurb until I enable 2FA. I'm busy just now, give me a day or two to deal with this. (Unless Brett gets to it first or something.)
Unless Brett gets to it first or something
@larryhastings since Brett said he doesn't have access, I assume that his access is "Maintainer" (only allows uploading new releases IIRC) and yours is "Owner". Most things are only available to Owners. In case of putting a project under an org, the RBAC would be a bit more flexible than that. But registering orgs on PyPI is on pause per my understanding.
So if you want someone else to configure trusted publishing, make sure to add them as an owner.
@webknjaz I requested the "python" and "cpython" PyPI organisations in December, no news yet: https://discuss.python.org/t/request-python-organisation-on-pypi/26545/9
@hugovk I know. That PyPI support engineer might be able to get through the queue later on. I asked Mike at PyCon and apparently, they don't want to make exceptions to demonstrate to companies that they need to fund more positions like that.
I've added hugovk as a Maintainer. Is that sufficient?
Thanks, I've accepted, but Owner permission is needed to be able to click the Manage button to set it up:
https://docs.pypi.org/trusted-publishers/adding-a-publisher/
I see:
Please could you add Owner permissions?
Thank you! I now have Owner permissions and have set up Trusted Publishing like this at https://pypi.org/manage/project/blurb/settings/publishing/:
I'll prepare and make a release in the near future to test it out, and update https://github.com/python/blurb/blob/main/RELEASING.md as needed.
I've also invited developer-in-residence @ambv as Owner to help with bus factor.
Successfully released!
- https://github.com/python/blurb/actions/runs/9829355087
- https://pypi.org/project/blurb/1.2.0/
- https://github.com/python/blurb/releases/tag/v1.2.0
Thanks all!