From 610e36f0bdb6a1a1584e8ef6cc356329d8e5f756 Mon Sep 17 00:00:00 2001 From: Li Yonghui Date: Thu, 25 Jun 2026 07:40:33 +0000 Subject: [PATCH] ci: use trusted publishing in release pipeline and trigger on tags --- .github/workflows/main.yaml | 1 + .github/workflows/pypipublish.yaml | 70 +++++++++++++++++++++++++----- 2 files changed, 59 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index c00ef57f3..63f9e96d8 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -5,6 +5,7 @@ on: branches: ["*"] pull_request: branches: [master] + workflow_call: jobs: linux: diff --git a/.github/workflows/pypipublish.yaml b/.github/workflows/pypipublish.yaml index 821a4bcc9..4efc98fa0 100644 --- a/.github/workflows/pypipublish.yaml +++ b/.github/workflows/pypipublish.yaml @@ -1,14 +1,25 @@ -name: Upload Python Package +name: Release Python Package +# Triggered by a tag push, this workflow creates a GitHub release +# and publishes the package to PyPI. on: - release: - types: [created] + push: + tags: + - '2[0-9][0-9][0-9].[0-9].[0-9]*' + - '2[0-9][0-9][0-9].[0-9][0-9].[0-9]*' jobs: - deploy: + ci: + uses: ./.github/workflows/main.yaml + + build: + name: Build artifacts + needs: ci runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + fetch-depth: 0 - name: Set up Python uses: actions/setup-python@v6 with: @@ -16,11 +27,46 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install hatch twine - - name: Build and publish - env: - TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - run: | - hatch build - twine upload dist/* + pip install build + - name: Build + run: python -m build + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: dist + path: dist/ + + release: + name: Create Release + needs: build + if: "!contains(github.ref_name, 'dev') && github.event_name == 'push'" + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: dist + path: dist/ + - name: Create Release + uses: softprops/action-gh-release@v2 + with: + generate_release_notes: true + files: dist/* + + publish: + name: Upload release to PyPI + needs: release + runs-on: ubuntu-latest + permissions: + id-token: write + environment: pypi + steps: + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: dist + path: dist/ + - name: Publish + uses: pypa/gh-action-pypi-publish@release/v1