Open webknjaz opened 2 months ago
Hi @webknjaz,
Thanks a lot for all the information you're sharing here. We should definitely adopt actions/pypi-publish
.
With regards to the use of eggs, we've been using it for running Avocado itself, like in containters with the Podman spawner (avocado run --spawner=podman
) without the need to actual install Python packages. I understand that we may eventually have to come up with a different solution, but that has been working great for that use case.
Anyway, thanks again, and we'll definitely follow up with your suggestion.
Hey, I noticed some outdated practices in
.github/workflows/release.yml
and with my PyPA hat on, I decided to document a few possible improvements.Ever since GHA went GA I've been trying to improve a standard dist publishing method and came up with an action that is now under the PyPA umbrella, being recommended officially in various places including GitHub's own docs: https://github.com/marketplace/actions/pypi-publish#usage.
I saw that you resort to storing username/password for uploading the dists to PyPI as GitHub repository secrets. While technically this works, there's a better way — using secretless publishing that's gone GA about a year ago. And my action started supported it even earlier — during the private alpha testing period.
My PyPUG guide now contains a full example of using it. Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and you'll be set. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.
This requires some changes but is quite straightforward:
pypi
with required reviews in the repo settingsAnother observation that surprised me is the use of a dead non-standardized format that's been discouraged for like a decade and is dangerous to use — eggs. So I'm curious — what's the use case for even making them in the first place, in 2024?
Refs: