Add PyPI publish workflow with reusable build-wheels#7
Conversation
shaia
commented
Nov 30, 2025
shaia
commented
- Add workflow_call trigger to build-wheels.yml for reusability
- Create publish.yml that reuses build-wheels workflow
- Support release, tag push (v*), and manual dispatch triggers
- Publish to TestPyPI (manual) or PyPI (release/tag)
- Use trusted publishing (OIDC) for secure authentication
- Clean up debug steps from build-wheels workflow
There was a problem hiding this comment.
Pull request overview
This PR establishes an automated PyPI publishing pipeline for the cfd-python package, implementing secure OIDC-based authentication and supporting multiple deployment targets (PyPI, TestPyPI) with flexible trigger mechanisms.
Key Changes:
- Created a new
publish.ymlworkflow that orchestrates wheel building, source distribution creation, and publishing to PyPI/TestPyPI - Made
build-wheels.ymlreusable viaworkflow_calltrigger and removed debug/diagnostic steps - Implemented OIDC trusted publishing for secure, token-less authentication with PyPI registries
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/publish.yml |
New workflow that builds wheels/sdist and publishes to PyPI or TestPyPI based on release events, tag pushes, or manual triggers |
.github/workflows/build-wheels.yml |
Added workflow_call trigger for reusability, added CFD_USE_STABLE_ABI environment variable, and cleaned up debug logging steps |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: sdist | ||
| path: dist/*.tar.gz |
There was a problem hiding this comment.
[nitpick] The artifact uploads in the build jobs don't specify a retention period. For a publish workflow that may run frequently (especially with manual dispatch), consider adding retention-days to prevent excessive artifact storage costs.
Example:
- uses: actions/upload-artifact@v4
with:
name: sdist
path: dist/*.tar.gz
retention-days: 5| path: dist/*.tar.gz | |
| path: dist/*.tar.gz | |
| retention-days: 5 |
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
[nitpick] The publish jobs have id-token: write for OIDC authentication, but they may also need contents: read permission to properly interact with release artifacts and repository content when triggered by release events.
Consider adding:
permissions:
id-token: write
contents: read| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
[nitpick] The publish jobs have id-token: write for OIDC authentication, but they may also need contents: read permission to properly interact with release artifacts and repository content when triggered by release events.
Consider adding:
permissions:
id-token: write
contents: read| push: | ||
| tags: | ||
| - 'v*' |
There was a problem hiding this comment.
The release trigger and push with tags: v* may fire simultaneously when a GitHub release is published (since releases create tags). This could result in duplicate workflow runs attempting to publish the same version to PyPI.
Consider using only the release trigger for production releases, or add logic to prevent duplicate publishes (e.g., using a workflow concurrency group or removing one of the triggers).
| push: | |
| tags: | |
| - 'v*' |
- Add workflow_call trigger to build-wheels.yml for reusability - Create publish.yml that reuses build-wheels workflow - Support release, tag push (v*), and manual dispatch triggers - Publish to TestPyPI (manual) or PyPI (release/tag) - Use trusted publishing (OIDC) for secure authentication - Clean up debug steps from build-wheels workflow
shaia
force-pushed
the
feature/publish-workflow
branch
from
27dabdb to
375b7df
Compare
