Skip to content

Commit

Permalink
Pivot PyPI publishing to use trusted publishers (#1001)
Browse files Browse the repository at this point in the history
* Pivot PyPI publishing to use trusted publishers

This commit updates the wheel job CI configuration to leverage PyPI's
trusted publisher mechanism. Moving forward the bot account we've been
using will be deleted (as it will require 2fa) and the rustworkx github
repository's wheels.yml workflow has been setup as a trusted publisher.
This commit updates the job configuration per:

https://docs.pypi.org/trusted-publishers/using-a-publisher/

to autheticate the job directly against pypi for publishing the package
files without needign any user credentials.

* Use shared upload job for all jobs that use non-linux
  • Loading branch information
mtreinish authored Oct 18, 2023
1 parent b1537d9 commit f4ee4cf
Showing 1 changed file with 86 additions and 69 deletions.
155 changes: 86 additions & 69 deletions .github/workflows/wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,28 +20,29 @@ jobs:
sdist:
name: Build sdist
runs-on: ubuntu-latest
needs: ["build_wheels", "build-win32-wheels"]
environment: release
permissions:
id-token: write
needs: ["upload_shared_wheels"]
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
name: Install Python
with:
python-version: '3.8'
- name: Install deps
run: pip install -U twine setuptools-rust
run: pip install -U setuptools-rust
- name: Build sdist
run: python setup.py sdist
- uses: actions/upload-artifact@v3
with:
path: ./dist/*
- name: Upload to PyPI
run: twine upload ./dist/*
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
build_wheels:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
strategy:
fail-fast: false
matrix:
Expand All @@ -55,21 +56,36 @@ jobs:
- uses: dtolnay/rust-toolchain@stable
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
name: shared-wheel-builds
upload_shared_wheels:
name: Upload shared build wheels
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
needs: ["build_wheels", "build-mac-arm-wheels", "build-win32-wheels"]
steps:
- uses: actions/download-artifact@v3
with:
name: shared-wheel-builds
path: deploy
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: deploy
build_wheels_aarch64:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -87,7 +103,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -97,9 +113,16 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build_wheels_aarch64_part_2:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -117,7 +140,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -127,14 +150,16 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build_wheels_ppc64le:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -152,7 +177,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -162,14 +187,16 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build_wheels_ppc64le_part2:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -187,7 +214,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -197,14 +224,16 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build_wheels_s390x:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -222,7 +251,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -232,14 +261,16 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build_wheels_s390x_part2:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
environment: release
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
Expand All @@ -257,7 +288,7 @@ jobs:
platforms: all
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -267,14 +298,14 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
build-mac-arm-wheels:
name: Build wheels on macos for arm and universal2
runs-on: macos-latest
environment: release
steps:
- uses: actions/checkout@v3
- name: Build wheels
Expand All @@ -287,21 +318,11 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- uses: actions/setup-python@v4
name: Install Python
with:
python-version: '3.8'
- name: Install twine
run: |
python -m pip install twine
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
name: shared-wheel-builds
build-win32-wheels:
name: Build wheels on win32
runs-on: windows-latest
environment: release
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
Expand All @@ -316,7 +337,7 @@ jobs:
run: rustup default stable-i686-pc-windows-msvc
- name: Install cibuildwheel
run: |
python -m pip install cibuildwheel==2.16.2 twine
python -m pip install cibuildwheel==2.16.2
- name: Build wheels
run: |
python -m cibuildwheel --output-dir wheelhouse
Expand All @@ -325,32 +346,28 @@ jobs:
- uses: actions/upload-artifact@v3
with:
path: ./wheelhouse/*.whl
- name: Upload to PyPI
run: twine upload ./wheelhouse/*.whl
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
name: shared-wheel-builds
retworkx-compat-build:
name: Build retworkx
runs-on: ubuntu-latest
needs: ["build_wheels", "build-win32-wheels"]
environment: release
permissions:
id-token: write
needs: ["upload_shared_wheels"]
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
name: Install Python
with:
python-version: '3.10'
- name: Install deps
run: pip install -U twine setuptools-rust wheel build
run: pip install -U setuptools-rust wheel build
- name: Build sdist
run: python setup.py bdist_wheel
env:
RUSTWORKX_PKG_NAME: retworkx
- uses: actions/upload-artifact@v3
with:
path: ./dist/*
- name: Upload to PyPI
run: twine upload ./dist/*
env:
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
TWINE_USERNAME: retworkx-ci
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

0 comments on commit f4ee4cf

Please sign in to comment.