[maintenance] Migrate PyPI release automation to Trusted Publishing #10256
Labels
Maintenance
Discussion or action around maintaining pylint or the dev workflow
Needs PR
This issue is accepted, sufficiently specified and now needs an implementation
Milestone
Comments
Pierre-Sassoulas
added
Maintenance
|
Just configured trusted publishing on PyPI. Opened #10263 to update the release workflow. Feel free to take a look. |
github-project-automation
bot
moved this from 🧐 @webknjaz's review queue 📋
to 🌈 Done 🦄
in 📅 Procrastinating in public
|
We just did a test release. Everything seems to work as expected. @webknjaz If you have additional suggestions for the release workflow, we'd be happy to take a look at them! https://pypi.org/project/pylint/3.3.5a0/ Also opened pylint-dev/astroid#2696 to add Trusted Publishing for |
|
Looks good overall. I typically sequence the jobs differently and extract the version for the URL in the environment setting. But these are my preferences. You've probably adjusted according to your needs. |
luketainton
pushed a commit
to luketainton/webexmemebot
that referenced
this issue
Mar 9, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astroid](https://github.com/pylint-dev/astroid) | project.dependencies | patch | `<=3.3.8` -> `<=3.3.9` | --- ### Release Notes <details> <summary>pylint-dev/astroid (astroid)</summary> ### [`v3.3.9`](https://github.com/pylint-dev/astroid/blob/HEAD/ChangeLog#Whats-New-in-astroid-339) [Compare Source](pylint-dev/astroid@v3.3.8...v3.3.9) \============================ Release date: 2025-03-09 - Fix crash when `sys.modules` contains lazy loader objects during checking. Closes [#​2686](pylint-dev/astroid#2686) Closes [pylint-dev/pylint#8589](pylint-dev/pylint#8589) - Upload release assets to PyPI via Trusted Publishing. Refs [pylint-dev/pylint#10256](pylint-dev/pylint#10256) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOTEuNCIsInVwZGF0ZWRJblZlciI6IjM5LjE5MS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==--> Reviewed-on: https://git.tainton.uk/repos/webexmemebot/pulls/472 Reviewed-by: Luke Tainton <luke@tainton.uk> Co-authored-by: Renovate [BOT] <renovate-bot@git.tainton.uk> Co-committed-by: Renovate [BOT] <renovate-bot@git.tainton.uk>
luketainton
pushed a commit
to luketainton/pypilot
that referenced
this issue
Mar 9, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astroid](https://github.com/pylint-dev/astroid) | project.dependencies | patch | `==3.3.8` -> `==3.3.9` | --- ### Release Notes <details> <summary>pylint-dev/astroid (astroid)</summary> ### [`v3.3.9`](https://github.com/pylint-dev/astroid/blob/HEAD/ChangeLog#Whats-New-in-astroid-339) [Compare Source](pylint-dev/astroid@v3.3.8...v3.3.9) \============================ Release date: 2025-03-09 - Fix crash when `sys.modules` contains lazy loader objects during checking. Closes [#​2686](pylint-dev/astroid#2686) Closes [pylint-dev/pylint#8589](pylint-dev/pylint#8589) - Upload release assets to PyPI via Trusted Publishing. Refs [pylint-dev/pylint#10256](pylint-dev/pylint#10256) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOTEuNCIsInVwZGF0ZWRJblZlciI6IjM5LjE5MS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==--> Reviewed-on: https://git.tainton.uk/repos/pypilot/pulls/314 Reviewed-by: Luke Tainton <luke@tainton.uk> Co-authored-by: Renovate [BOT] <renovate-bot@git.tainton.uk> Co-committed-by: Renovate [BOT] <renovate-bot@git.tainton.uk>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
This will make it possible to stop keeping the long-living PyPI API token in the repository settings. Additionally, it'll allow PyPI to display more metadata as verified.
And finally, this allows publishing PEP 740 digital attestations as a part of the release (enabled by default in
pypi-publish).Configuration will require somebody with Owner privileges on PyPI to set up trust. And somebody capable of updating the Environments section of the GitHub repository settings (for setting up release flow protection).
The guide is @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/. Feel free to ping me to review the PR.
The text was updated successfully, but these errors were encountered: