Open GenevieveBuckley opened 1 month ago
I'd say this change is good to have, but not super urgent. Maybe we should aim to get it done in the next 1-2 releases, or the next six months?
Sorry Contantin, I know I had you make those PyPI API tokens very recently. I didn't realise this was the better way to do it!
No worries and thanks for looking into it @GenevieveBuckley. I was a bit delayed with testing the PyPI upload anyways; I want to do this together with a new patch release but still need to work on a few minor things for this. I should be able to do this early next week. I will check this issue out then.
No worries. We could easily wait for this to happen in https://github.com/napari/napari-animation/issues/211 (I've opened https://github.com/napari/napari-animation/pull/212), and see how things go there first. There might be one or two hiccups we can learn from.
Ok! Let's wait for the PR in napari-animation
and also figure out why our current deployment is not working before that, see #530.
PyPI introduced Trusted Publishers last year (see the announcement and how trusted publishing works). This improves security, since you no longer rely on having long-lived API tokens to use with twine.
We recently added a PyPI deployment job to the release workflow in https://github.com/computational-cell-analytics/micro-sam/pull/606. That PR uploads to PyPI using twine (because I didn't know about the trusted publisher option then).
To switch to trusted publishing for micro-sam, we'd need to do two things:
.github/workflows/release_drafter.yml
. Thedeploy
job needs to be givenid-token: write
permissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).Xref: https://github.com/napari/napari-animation/issues/211