Use Github-Actions for PyPI release process (#760)

* Initial draft of GIthub Actions workflow * install (or) load poetry from cache * Github Actions: Publish tagged commits into PyPI * Update version on the least-significant-digit -- this should not trigger PyPI publish Github Actions * Update minor version of the project * Update the instructions for the Release process * Include sigstore signatures, automatic github-release process * auto-generate release notes * revert the changes to project name and project-version * include code-rabbit's suggestions * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * incoroprate CodeRabbit suggestions: part 2 * CodeRabbitAI suggestions part-3 * remove the redundant check condition * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * include resources about Trusted Publishing on PyPI * Rectify the errors in the Github Actions file remove the check-wheel-contents usage; poetry build does not adhere to the required standards of the tool * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/publish_to_pypi.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: justinr1234 <[email protected]>
XRPLF · Nov 4, 2024 · ea1174b · ea1174b
1 parent a39559a
commit ea1174b
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 1 deletion.
diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
@@ -0,0 +1,107 @@
+name: Publish xrpl-py 🐍 distribution 📦 to PyPI
+on:
+  push:
+    tags:
+        - '*'
+
+jobs:
+  build:
+    name: Build distribution 📦
+    runs-on: ubuntu-latest
+    env:
+        POETRY_VERSION: 1.8.3
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        # Use the lowest supported version of Python for CI/CD
+        python-version: "3.8"
+    - name: Load cached .local
+      id: cache-poetry
+      uses: actions/cache@v3
+      with:
+          path: /home/runner/.local
+          key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}
+    - name: Install poetry
+      if: steps.cache-poetry.outputs.cache-hit != 'true'
+      run: |
+        curl -sSL "https://install.python-poetry.org/" | python - --version "${{ env.POETRY_VERSION }}"
+        echo "${HOME}/.local/bin" >> $GITHUB_PATH
+        poetry --version || exit 1  # Verify installation
+    - name: Build a binary wheel and a source tarball
+      run: poetry build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+  publish-to-pypi:
+    name: >-
+        Publish Python 🐍 distribution 📦 to PyPI
+    needs: build  # Explicit dependency on build job
+    runs-on: ubuntu-latest
+    timeout-minutes: 10  # Adjust based on typical publishing time
+    permissions:
+        # More information about Trusted Publishing and OpenID Connect: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
+        id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Verify downloaded artifacts
+      run: |
+        ls dist/*.whl dist/*.tar.gz || exit 1
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        verbose: true
+        verify-metadata: true
+
+  github-release:
+    name: >-
+        Sign the Python 🐍 distribution 📦 with Sigstore
+        and upload them to GitHub Release
+    needs:
+    - publish-to-pypi
+    runs-on: ubuntu-latest
+    timeout-minutes: 15  # Adjust based on typical signing and release time
+
+    permissions:
+        contents: write  # IMPORTANT: mandatory for making GitHub Releases
+        id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+            gh release create
+            '${{ github.ref_name }}'
+            --repo '${{ github.repository }}'
+            --generate-notes ||
+            (echo "::error::Failed to create release" && exit 1)
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+       # Upload to GitHub Release using the `gh` CLI.
+       # `dist/` contains the built packages, and the
+       # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -202,7 +202,18 @@ This should almost always be done using the [`xrpl-codec-gen`](https://github.co
 - Merge your changes.
 
 ### Release
-
+1. Please increment the version in `pyproject.toml` and update the `CHANGELOG.md` file appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+2. Please select a commit that is suitable for release and create a tag. The following commands can be helpful:
+`git tag -s -a <tag-title> -m "Optional Message describing the tag"`
+`git tag` -- This command displays all the tags in the repository.
+`git push <remote_name, e.g. upstream> tag <tag_title>`
+3. A [Github Workflow](.github/workflows/publish_to_pypi.yml) completes the rest of the Release steps (building the project, generating a .whl and tarball, publishing on the PyPI platform). The workflow uses OpenID Connect's temporary keys to obtain the necessary PyPI authorization.
+As a prerequisite, the PyPI `xrpl-py` project needs to authorize Github Actions as a "Trusted Publisher". This page contains helpful resources: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing
+4. Send an email to [xrpl-announce](https://groups.google.com/g/xrpl-announce).
+5. Post an announcement in the [XRPL Discord #python channel](https://discord.com/channels/886050993802985492/886053080913821717) with a link to the changes and highlighting key changes.
+
+
+**Note: If maintainers prefer to manually release the xrpl-py software distribution, the below steps are relevant.**
 1. Create a branch off main that properly increments the version in `pyproject.toml` and updates the `CHANGELOG` appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 2. Merge this branch into `main`.
 3. Locally build and download the package.