Open GenevieveBuckley opened 1 month ago
GenevieveBuckley
commented
1 month ago I'd say this change is good to have, but not super urgent. Maybe we should aim to get it done in the next 1-2 releases, or the next six months?
Sorry Contantin, I know I had you make those PyPI API tokens very recently. I didn't realise this was the better way to do it!
constantinpape
commented
1 month ago No worries and thanks for looking into it @GenevieveBuckley. I was a bit delayed with testing the PyPI upload anyways; I want to do this together with a new patch release but still need to work on a few minor things for this. I should be able to do this early next week. I will check this issue out then.
GenevieveBuckley
commented
1 month ago No worries. We could easily wait for this to happen in https://github.com/napari/napari-animation/issues/211 (I've opened https://github.com/napari/napari-animation/pull/212), and see how things go there first. There might be one or two hiccups we can learn from.
constantinpape
commented
1 month ago Ok! Let's wait for the PR in napari-animation and also figure out why our current deployment is not working before that, see #530.
PyPI introduced Trusted Publishers last year (see the announcement and how trusted publishing works). This improves security, since you no longer rely on having long-lived API tokens to use with twine.
We recently added a PyPI deployment job to the release workflow in https://github.com/computational-cell-analytics/micro-sam/pull/606. That PR uploads to PyPI using twine (because I didn't know about the trusted publisher option then).
To switch to trusted publishing for micro-sam, we'd need to do two things:
.github/workflows/release_drafter.yml. Thedeployjob needs to be givenid-token: writepermissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).Xref: https://github.com/napari/napari-animation/issues/211