diff --git a/.github/workflows/_reusable-package-release.yml b/.github/workflows/_reusable-package-release.yml index c75a896b..3770cd3e 100644 --- a/.github/workflows/_reusable-package-release.yml +++ b/.github/workflows/_reusable-package-release.yml @@ -72,6 +72,14 @@ on: description: The public SSH key linked to the `secrets.ssh-signing-key-private` key that will be used to sign the commit and tag created by `python-semantic-release`. required: true + pypi-api-token: + description: The API token for the package on pypi.org. If `build-and-publish-python-package` + is set to `true`, this input must be provided or the build will fail. + required: false + test-pypi-api-token: + description: The API token for the package on test.pypi.org. If `build-and-publish-python-package` + is set to `true`, this input must be provided or the build will fail. + required: false concurrency: group: pypi (Reusable Workflows) env: @@ -181,6 +189,7 @@ jobs: - name: Upload package to Test PyPI uses: pypa/gh-action-pypi-publish@v1.9.0 with: + password: ${{ secrets.test-pypi-api-token }} repository-url: https://test.pypi.org/legacy/ # Upload the official package version to PyPI upload-pypi: @@ -200,6 +209,8 @@ jobs: path: dist - name: Upload package to PyPI uses: pypa/gh-action-pypi-publish@v1.9.0 + with: + password: ${{ secrets.pypi-api-token }} # Upload the official package binaries to the GitHub Release upload-github: name: Upload package to GitHub Release diff --git a/.github/workflows/_reusable-package-testpypi.yml b/.github/workflows/_reusable-package-testpypi.yml index 9dee0050..987d1ab7 100644 --- a/.github/workflows/_reusable-package-testpypi.yml +++ b/.github/workflows/_reusable-package-testpypi.yml @@ -12,6 +12,10 @@ on: format `owner/repo`. required: true type: string + secrets: + test-pypi-api-token: + description: The API token for the package on test.pypi.org. + required: true concurrency: group: pypi (Reusable Workflows) env: @@ -54,6 +58,7 @@ jobs: - name: Upload package to Test PyPI uses: pypa/gh-action-pypi-publish@v1.9.0 with: + password: ${{ secrets.test-pypi-api-token }} repository-url: https://test.pypi.org/legacy/ test-pypi-install: name: Install package from test.pypi.org diff --git a/CHANGELOG.md b/CHANGELOG.md index 92041e02..6f97d33d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,10 @@ Valid subsections within a version are: Things to be included in the next release go here. +### Changed + +- Updated the `_reusable-package-testpypi.yml` and `_reusable-package-release.yml` workflows to use a token for uploading Python packages to TestPyPI and PyPI. + --- ## v1.0.3 (2024-08-28) diff --git a/workflows/package-release.md b/workflows/package-release.md index 5d232ba5..84c9712a 100644 --- a/workflows/package-release.md +++ b/workflows/package-release.md @@ -74,18 +74,23 @@ will be used to fill in the GitHub Release Notes. | `commit-user-email` | required | The email of the user to use when committing changes to the repository. | | | `release-level` | required | The level of the release to create. Must be one of `major`, `minor`, or `patch`. | | | `build-and-publish-python-package` | optional | A boolean value that determines whether to build and publish the Python package. If set to `false`, the package binaries will not be built or published to PyPI, TestPyPI, or GitHub Releases. | `true` | -| `python-versions-array` | optional | A valid JSON array of Python versions to test against. | | +| `python-versions-array` | optional | A valid JSON array of Python versions to test against. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail. | | | `operating-systems-array` | optional | A valid JSON array of operating system names to run tests on. | `'["ubuntu", "windows", "macos"]'` | | `previous-changelog-filepath` | optional | The full path of the file to copy the contents of the changelog into for use in the `python-semantic-release` templates. | `'.previous_changelog_for_template.md'` | | `previous-release-notes-filepath` | optional | The full path of the file to copy the contents of the `## Unreleased` section of the changelog into for use in the GitHub Release Notes. | `'.previous_release_notes_for_template.md'` | ## Secrets -| Secret variable | Necessity | Description | -| ------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `checkout-token` | required | The token to use for checking out the repository, must have permissions to write back to the repository. | -| `ssh-signing-key-private` | required | A private SSH key associated with the account that owns the `checkout-token` that will be used to sign the commit and tag created by `python-semantic-release`. | -| `ssh-signing-key-public` | required | The public SSH key linked to the `secrets.ssh-signing-key-private` key that will be used to sign the commit and tag created by `python-semantic-release`. | +| Secret variable | Necessity | Description | +| ------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `checkout-token` | required | The token to use for checking out the repository, must have permissions to write back to the repository. | +| `ssh-signing-key-private` | required | A private SSH key associated with the account that owns the `checkout-token` that will be used to sign the commit and tag created by `python-semantic-release`. | +| `ssh-signing-key-public` | required | The public SSH key linked to the `secrets.ssh-signing-key-private` key that will be used to sign the commit and tag created by `python-semantic-release`. | +| `pypi-api-token` | required | The API token for the package on pypi.org. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail. | +| `test-pypi-api-token` | required | The API token for the package on test.pypi.org. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail. | + +> [!CAUTION] +> If a Python package is intended to be built and published, **the `pypi-api-token` and `test-pypi-api-token` secrets must be provided**. ## Example @@ -127,6 +132,8 @@ jobs: checkout-token: ${{ secrets.CHECKOUT_TOKEN }} ssh-signing-key-private: ${{ secrets.SSH_SIGNING_KEY_PRIVATE }} ssh-signing-key-public: ${{ secrets.SSH_SIGNING_KEY_PUBLIC }} + pypi-api-token: ${{ secrets.PYPI_API_TOKEN }} + test-pypi-api-token: ${{ secrets.TEST_PYPI_API_TOKEN }} ``` [workflow-file]: ../.github/workflows/_reusable-package-release.yml diff --git a/workflows/package-testpypi.md b/workflows/package-testpypi.md index 9b632107..57f1c2b5 100644 --- a/workflows/package-testpypi.md +++ b/workflows/package-testpypi.md @@ -47,6 +47,12 @@ officially released version of the package, incrementing `N` each time the workf | `package-name` | required | The name of the package to build, upload, and install. | | | `repo-name` | required | The full name of the repository to use to gate uploads, in the format `owner/repo`. | | +## Secrets + +| Secret variable | Necessity | Description | +| --------------------- | --------- | ----------------------------------------------- | +| `test-pypi-api-token` | required | The API token for the package on test.pypi.org. | + ## Example ```yaml @@ -66,6 +72,8 @@ jobs: contents: read id-token: write attestations: write + secrets: + test-pypi-api-token: ${{ secrets.TEST_PYPI_API_TOKEN }} ``` [workflow-file]: ../.github/workflows/_reusable-package-testpypi.yml