-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
README should mention that PyPI doesn't accept local version identifiers #322
README should mention that PyPI doesn't accept local version identifiers #322
Comments
it works fine with local pypi servers, and its actually intended to be a protection - don't accidentally upload "non-releases" for a normal release processs you'd never need the workarounds |
Right. And yet this'd better be documented. |
thats a interesting one, def worthwile |
Thanks for this. It would be nice if this could be configurable (not just via env variable). I use local version identifiers in packages that are uploaded to a local devpi server. Removing the tag is definitely undesirable, as it is used to indicate actual differences in the bdist when building extension libraries (for example, the extension may be built to statically link against different versions of a library). |
The patch adds mention in README that local version identifiers don’t allow publishing to PyPI/TestPyPI. Also, it suggests local private index (devpi) if required to use the local component in versions. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves pypa#322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]>
* Emphasize permitted version format in packages for publication The patch adds mention in README that local version identifiers in packages don't allow publishing to PyPI/TestPyPI. Also, it suggests alternative local servers for using local version identifiers. Resolves #322 Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]> * Edit typo in README.rst Co-authored-by: Sviatoslav Sydorenko <[email protected]> --------- Co-authored-by: Sviatoslav Sydorenko <webknjaz+github/[email protected]> Co-authored-by: Sviatoslav Sydorenko <[email protected]>
By default, setuptools_scm applies "local version identifiers" to non-tag versions [^1]. In practice, this means appending the short git hash as a suffix to the version string. However, TestPyPI doesn't allow publishing distributions that include local version labels [^2][^3][^4]. This is intended to prevent accidental upload of non-release versions, but it makes it a bit more complicated to test our CD pipeline. We could try to work around this by spoofing the version using `SETUPTOOLS_SCM_PRETEND_VERSION`[^5]. Alternatively, we could simply disable local version identifiers in the setuptools_scm configuration. Including the git hash in the version string of non-tag builds seems very useful, but handling the version spoofing in CI seems much more complicated than I'm willing to tolerate. So for now we'll forego the local version labels, but in the future it'd be nice to reenable them and adopt a better workaround. [^1]: https://packaging.python.org/en/latest/specifications/version-specifiers/#local-version-identifiers [^2]: pypa/setuptools-scm#322 [^3]: pypa/setuptools-scm#455 [^4]: pypa/setuptools-scm#478 [^5]: https://setuptools-scm.readthedocs.io/en/latest/overrides/
* Build wheels & sdists in CI Add a CI job that runs on pull requests and pushes to main and executes the following steps: * Build wheels for Linux & macOS x86_64, as well as Linux i686 and macOS ARM64 using cibuildwheel * Run the test suite using generated wheels (except for macOS ARM64, which is cross-compiled) * Lint wheels using check-wheel-contents * Build an sdist and lint it using `twine check` * Publish wheels & sdist to TestPyPI * Fix TestPyPI URL The publisher name & URL must match the project name in pyproject.toml. I was hoping to name the Python module "snaphu" but name the PyPI package "snaphu-py", but it looks like that's not possible (at least not possible with this method of publishing distributions). https://docs.pypi.org/trusted-publishers/troubleshooting/#upload-errors * Remove local version identifiers By default, setuptools_scm applies "local version identifiers" to non-tag versions [^1]. In practice, this means appending the short git hash as a suffix to the version string. However, TestPyPI doesn't allow publishing distributions that include local version labels [^2][^3][^4]. This is intended to prevent accidental upload of non-release versions, but it makes it a bit more complicated to test our CD pipeline. We could try to work around this by spoofing the version using `SETUPTOOLS_SCM_PRETEND_VERSION`[^5]. Alternatively, we could simply disable local version identifiers in the setuptools_scm configuration. Including the git hash in the version string of non-tag builds seems very useful, but handling the version spoofing in CI seems much more complicated than I'm willing to tolerate. So for now we'll forego the local version labels, but in the future it'd be nice to reenable them and adopt a better workaround. [^1]: https://packaging.python.org/en/latest/specifications/version-specifiers/#local-version-identifiers [^2]: pypa/setuptools-scm#322 [^3]: pypa/setuptools-scm#455 [^4]: pypa/setuptools-scm#478 [^5]: https://setuptools-scm.readthedocs.io/en/latest/overrides/ * Don't build wheels or publish to TestPyPI for PRs Instead, these CI jobs should only be triggered by pushes to upstream branches. Building wheels is very slow compared to the other CI jobs (up to an hour for 32-bit Linux wheels vs 1-2 minutes for the basic build&test CI pipeline). Furthermore, publishing to TestPyPI via OIDC seems to be impossible in pull requests from public forks. The maximum allowed `id-token` permissions for public forks is `read` [^1], whereas publishing via OIDC requires `id-token: write` permissions [^2]. [^1]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token [^2]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
And maybe suggest some workarounds for that.
Currently I came up with:
python -c 'import setuptools_scm; print(setuptools_scm.get_version(local_scheme=lambda v: ""))' | read SETUPTOOLS_SCM_PRETEND_VERSION
setuptools_scm.local_scheme
entrypoint withlambda v: ""
Which should probably be done only when uploading the dist because in all other cases it's still nice to have local identifier.
Ref: pypa/twine#430
Ref: pypa/packaging.python.org#578
The text was updated successfully, but these errors were encountered: