[CI] build'n'publish with steroids #64
Conversation
@echedey-ls Yes, the package was switched to using trusted publishing in #60 |
|
The docs failure seems to be caused by this PR. |
|
It seems sensible to me, but ideally, this needs a review from some one more competent. @kandersolar are you up for taking a look at this? |
kandersolar
left a comment
kandersolar
left a comment
There was a problem hiding this comment.
It looks reasonable to me as well. One question for @echedey-ls about GHA environments below.
.github/workflows/publish.yml
Outdated
| # if this workflow is modified to be a generic CI workflow then | ||
| # add an if statement to the publish step so it only runs on tags. | ||
| # CI setup instructions: | ||
| # 1. Create a new environment for additional protection and security in the GitHub UI: |
There was a problem hiding this comment.
What's the benefit of using a GHA environment here? We won't be using any of the features (or will we?)
There was a problem hiding this comment.
I don't know.
There's a claim in the setup instructions from PyPI that recommends it. I think they've clarified a bit why, I don't remember seeing it when I set it up.
In https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
Second image, the first one on setting up GHA:
And the note below it:
Like with "normal" Trusted Publishing, configuring a GitHub Actions environment is optional but strongly recommended.
@AdamRJensen I won't be able to test this locally with act until weekend/next week.
There was a problem hiding this comment.
@echedey-ls let me know if I should do something, e.g., merge this PR and make a pre-release.
|
Upon merging in #62 I got the following email detailing an error rin the PyPI workflow:
|
|
I will look into it later, please don't merge for now. I suspect it can be the trigger, that does not work with merge commits. I have to update the ci name too, so I'll commit that. |
|
Good to go, I believe :) |
|
There are some warnings in the build step you may want to check: /tmp/build-env-uxvjhs_v/lib/python3.12/site-packages/setuptools/config/_apply_pyprojecttoml.py:82: SetuptoolsDeprecationWarning: `project.license` as a TOML table is deprecated
!!
********************************************************************************
Please use a simple string containing a SPDX expression for `project.license`. You can also use `project.license-files`.
By 2026-Feb-18, you need to update your project and remove deprecated calls
or your builds will no longer be supported.
See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
********************************************************************************
!!
corresp(dist, value, root_dir)
/tmp/build-env-uxvjhs_v/lib/python3.12/site-packages/setuptools/config/_apply_pyprojecttoml.py:61: SetuptoolsDeprecationWarning: License classifiers are deprecated.
!!
********************************************************************************
Please consider removing the following classifiers in favor of a SPDX license expression:
License :: OSI Approved :: BSD License
See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
********************************************************************************https://github.com/pvlib/twoaxistracking/actions/runs/13958847092/job/39076147809?pr=64 I fixed some own-implementation errors and updated instructions (cause I removed base repo env var, it wasn't serving it's purpose ideally) |
|
I made a pre-release v0.2.7-alpha.4 and it works like a charm (don't ask about the pre-release naming 😄) The files on PyPI are nice and small 12 kB. Thanks @echedey-ls for this nice improvement! |
3 participants
This PR is my own agenda for Python Packaging, and an utility I plan to reuse as a pyOpenSci reviewer too. I based my work off pvplabs/pvpltools CI, which I also authored based on pvlib/pvlib-python (and a helping hand of AI agents too).
Main changes:
v*I wanted to keep the CI as similar to the prior version as I could. I failed. But feel free to make any objections, unify jobs, etc. It's all my design choices and how I feel it works the best, but that's just my opinion.
Can you confirm that this package uses PyPI's trusted publishing? I recommend doing a minor pre-release after merging, to ensure it all goes as expected.
EDIT: well I'll test this soon, will let u know.