Migrate to trusted publisher pypi workflow - Githubissues

kyamagu / skia-python

Python binding to Skia Graphics Library

https://kyamagu.github.io/skia-python/

BSD 3-Clause "New" or "Revised" License

237 stars 42 forks source link

Migrate to trusted publisher pypi workflow #228

Closed kyamagu closed 8 months ago

kyamagu commented 8 months ago

Changes:

Migrate to the trusted publisher workflow
Update the artifact uploader/downloader

kyamagu commented 8 months ago

@HinTak BTW, please let me know your PyPI account if you have one. I would like to invite you as a collaborator

HinTak commented 8 months ago

The build_doc job was missing the same actions update as the publishing job. I hope you don't mind I just adding another commit for that, to get CI going - the addition is obviously enough and you'd have added the exact same change.

HinTak commented 8 months ago

@kyamagu I just registered on PyPI using the same username 'HinTak' . 2FA in PyPI looks very complicated there though - github has my phone number and can SMS me, but PyPI's 2FA is something else?

kyamagu commented 8 months ago

@HinTak You can use a TOTP authenticator app like Google Authenticator for 2FA. I set up the TOTP also for Github.

kyamagu commented 8 months ago

@HinTak, Feel free to debug the new PyPI publishing workflow. Rewriting a release (remove, then create again) is acceptable for debugging the step.

HinTak commented 8 months ago

Usually I don't modify/re-use tags once they are public... it is a bit confusing if somebody fetches/sync's and gets them over-written, or worse, if they have a local config blocking such overwrites. It is quite frown upon to re-write git history that way. In the case, the difference is small, and changes over only two days, and irrelevant to end-users. Otherwise I'd give it a new tag like 121.1b6 from 121.0b6. (I still need to remove the old local version of the tag, and you probably need to do the same too - that's why it is considered bad practice...)

HinTak commented 8 months ago

@kyamagu I can't open the manage tab on the pypi side - but supposedly only 4 things are needed there, right? Repo, owner, workflow, environment? According to? https://docs.pypi.org/trusted-publishers/adding-a-publisher/

* `sub`: `repo:kyamagu/skia-python:ref:refs/tags/v121.0b6`
* `repository`: `kyamagu/skia-python`
* `repository_owner`: `kyamagu`
* `repository_owner_id`: `1190780`
* `job_workflow_ref`: `kyamagu/skia-python/.github/workflows/ci.yml@refs/tags/v121.0b6`
* `ref`: `refs/tags/v121.0b6`

HinTak commented 8 months ago

@kyamagu what did you put in the github environment (optional) field on the pypi side? That apparently needs to match on github side...

kyamagu commented 8 months ago

@HinTak Right, I'll make a PR for that

kyamagu commented 8 months ago

@HinTak, I've updated your permission on PyPI. Please check

HinTak commented 8 months ago

@kyamagu I can see the pypi side now. Hopefully #229 should be it. I'll move the release tag when that ci finishes and try releasing again.