It is more secure: the release is made from a clean CI run rather than the maintainer's own computer (we're using this method). Also the tokens are short-lived and don't rely on storing long-lived API tokens on your computer or in the repo.
It's automated, and more reproducible, and makes it easier to release.
This workflow shows a preview of what would be released for every run. For merges to main, it deploys to TestPyPI, and when creating a "GitHub release" it deploys to production PyPI.
I've set up both TestPyPI and PyPI for this, it looks like this:
Trusted Publishing is a way to use short-lived tokens to automatically upload to PyPI:
https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
It is more secure: the release is made from a clean CI run rather than the maintainer's own computer (we're using this method). Also the tokens are short-lived and don't rely on storing long-lived API tokens on your computer or in the repo.
It's automated, and more reproducible, and makes it easier to release.
This workflow shows a preview of what would be released for every run. For merges to
main
, it deploys to TestPyPI, and when creating a "GitHub release" it deploys to production PyPI.I've set up both TestPyPI and PyPI for this, it looks like this:
Here's a preview:
https://github.com/marcusvolz/strava_py/actions/runs/7370157427?pr=39
I'll update
RELEASING.md
after doing a new release to support 3.12.