Release to PyPI via Github Action

[MartinThoma]

As the maintainer of pypdf I've recently decided to add a Github Action that can make releases of pypdf to PyPI. See https://github.com/py-pdf/pypdf/blob/main/.github/workflows/release.yaml . Maybe that is interesting for camelot as well?

Reasons for adding a workflows/release.yaml Github Action

1. Saving time: Yes, releasing is just a flit publish in my case. But still an extra step.
2. Reducing complexity: Again, just one step was removed. But I'm happy if this becomes easier.
3. Allowing the community to release: pypdf was not active for a long time. It could happen again if I became inactive. While we have some people on Github in the py-pdf organization / the pypdf repository with e.g. the permission to merge, I didn't want to add people to the project as the permission system of PyPI is lacking (e.g. the new admins could remove myself as an admin - no chance to recover). However, you can create project-based tokens that have only the permission to publish new packages.

How it works

Requirements

1. Create a PyPI token: https://pypi.org/help/#apitoken
2. Add a Github Repository Secret: Go to https://github.com/camelot-dev/camelot/settings/secrets/actions and store it as a repository secret called FLIT_PASSWORD

Triggering Workflows

I chose to use new git tags as the triggering mechanism:

on:
  push:
    tags:
      - '*.*.*'

See https://docs.github.com/en/actions/using-workflows/triggering-a-workflow for alternatives

The action

      - name: Install Flit
        run: |
          python -m pip install --upgrade pip
          pip install flit

      - name: Publish Package to PyPI🚀
        env:
          FLIT_USERNAME: '__token__'
          FLIT_PASSWORD: ${{ secrets.FLIT_PASSWORD }}
        run: |
          flit publish

That would require a pyproject.toml.

You could for sure also use twine. You would just need to call the environment variables a bit different: https://twine.readthedocs.io/en/stable/

Discussion

Let me know what you think about it :-)

[bosd]

I love this setup!!

Apparently one needs enough permissions to setup the token. @MartinThoma Do you have these permissions?

[MartinThoma]

No. Neither in github nor on pypi. I could prepare a pr for it though :-)

[bosd]

The Camelot-dev organisation lists @dimitern and @vinayak-mehta as people part of the organisation. They could set the repo settings and permissions.

@vinayak-mehta Shows up as recovering. But he made some contributions today to some private repo's. Let's hope he comes back here, to adjust the settings. (And add user's / bot / key to pypi.) So the community can continue this project.

[vinayak-mehta]

@MartinThoma I can add you to the PyPI project, what's your username?

[vinayak-mehta]

I'll follow up on some of these issues in the coming days to make sure everything is set up for the project to not be blocked without me

[vinayak-mehta]

@MartinThoma I can add you to the PyPI project, what's your username?

I found it! https://pypi.org/user/Martin.Thoma/

Just sent you an invite

[MartinThoma]

Thank you :heart: I've just accepted it. That means I can take care of releases now for camelot.

It makes me very happy that we now have the chance to revive camelot again :tada: :hugs:

[foarsitter]

The current release process is documented here: https://cookiecutter-hypermodern-python.readthedocs.io/en/2022.6.3.post1/guide.html#how-to-make-a-release

It triggers when the version in pyproject.toml gets changed and merged into master.

[MartinThoma]

That doesn't work because the secrets are not set:

1. I cannot create a token as I'm only a maintainer on PyPI
2. I cannot add a secret to the Github reposiotry as I don't have full permissions.

[ZupoLlask]

@vinayak-mehta