Skip to content

publish distributions #6026

publish distributions

publish distributions #6026

name: publish distributions
on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main
- release/v*
release:
types: [published]
# Run weekly at 1:23 UTC
schedule:
- cron: '23 1 * * 0'
workflow_dispatch:
inputs:
publish:
type: boolean
description: 'Publish to TestPyPI'
default: false
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
build:
name: Build Python distribution
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.12
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install python-build and twine
run: |
python -m pip install uv
uv pip install --system --upgrade pip
uv pip install --system build twine
python -m pip list
- name: Build a sdist and wheel
if: github.event_name != 'schedule'
run: |
python -m build --installer uv .
- name: Build a sdist and wheel and check for warnings
if: github.event_name == 'schedule'
run: |
PYTHONWARNINGS=error,default::DeprecationWarning python -m build --installer uv .
- name: Verify untagged commits have dev versions
if: "!startsWith(github.ref, 'refs/tags/')"
run: |
latest_tag=$(git describe --tags)
latest_tag_revlist_SHA=$(git rev-list -n 1 ${latest_tag})
main_SHA="$(git rev-parse --verify origin/main)"
wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n")
if [[ "${latest_tag_revlist_SHA}" != "${main_SHA}" ]]; then # don't check main push events coming from tags
if [[ "${wheel_name}" == *"pyhf-0.1.dev"* || "${wheel_name}" != *"dev"* ]]; then
echo "python-build incorrectly named built distribution: ${wheel_name}"
echo "python-build is lacking the history and tags required to determine version number"
echo "intentionally erroring with 'return 1' now"
return 1
fi
else
echo "Push event to origin/main was triggered by push of tag ${latest_tag}"
fi
echo "python-build named built distribution: ${wheel_name}"
- name: Verify tagged commits don't have dev versions
if: startsWith(github.ref, 'refs/tags')
run: |
wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n")
if [[ "${wheel_name}" == *"dev"* ]]; then
echo "python-build incorrectly named built distribution: ${wheel_name}"
echo "this is incorrrectly being treated as a dev release"
echo "intentionally erroring with 'return 1' now"
return 1
fi
echo "python-build named built distribution: ${wheel_name}"
- name: Verify the distribution
run: twine check --strict dist/*
- name: List contents of sdist
run: python -m tarfile --list dist/pyhf-*.tar.gz
- name: List contents of wheel
run: python -m zipfile --list dist/pyhf-*.whl
- name: Generate artifact attestation for sdist and wheel
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-path: "dist/pyhf-*"
- name: Upload distribution artifact
uses: actions/[email protected]
with:
name: dist-artifact
path: dist
publish:
name: Publish Python distribution to (Test)PyPI
if: github.event_name != 'pull_request'
needs: build
runs-on: ubuntu-latest
# Mandatory for publishing with a trusted publisher
# c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/
permissions:
id-token: write
# Restrict to the environment set for the trusted publisher
environment:
name: publish-package
steps:
- name: Download distribution artifact
uses: actions/download-artifact@v4
with:
name: dist-artifact
path: dist
- name: List all files
run: ls -lh dist
- name: Verify sdist artifact attestation
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/pyhf-*.tar.gz --repo ${{ github.repository }}
- name: Verify wheel artifact attestation
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/pyhf-*.whl --repo ${{ github.repository }}
- name: Publish distribution 📦 to Test PyPI
# Publish to TestPyPI on tag events of if manually triggered
# Compare to 'true' string as booleans get turned into strings in the console
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
uses: pypa/[email protected]
with:
repository-url: https://test.pypi.org/legacy/
print-hash: true
- name: Publish distribution 📦 to PyPI
if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf'
uses: pypa/[email protected]
with:
print-hash: true