Skip to content

[Python] Add release workflow #2691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kanterov merged 4 commits into from
Apr 15, 2025
Merged

[Python] Add release workflow #2691

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
69b0051
[Python] Add release workflow
kanterov Apr 9, 2025
76e17e7
Add more comments
kanterov Apr 15, 2025
3aecc7a
Update release.yml
kanterov Apr 15, 2025
5f0f930
Fix whitespace
kanterov Apr 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,3 +153,41 @@ jobs:
version: "${{ env.VERSION }}",
}
});

pypi-publish:
runs-on:
group: databricks-deco-testing-runner-group
labels: ubuntu-latest-deco

needs: goreleaser


# IMPORTANT:
# - 'id-token: write' is mandatory for OIDC and trusted publishing to PyPi
# - 'environment: release' is a part of OIDC assertion done by PyPi
#
# See: https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
environment: release
Copy link
Contributor

@shreyas-goenka shreyas-goenka Apr 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this need access to the release environment token?

Copy link
Collaborator Author

@kanterov kanterov Apr 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's specified in trusted publishing settings in PyPi package deployment settings to avoid cases when package gets accidentially published

Copy link
Contributor

@pietern pietern Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a comment to document this assertion.

Since the workflow doesn't use secrets, someone may remove this if they don't know about the assertion made by PyPI for OIDC purposes.

Copy link
Collaborator Author

@kanterov kanterov Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarified in comments

Copy link
Contributor

@pietern pietern Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you include that this is part of the OIDC assertion in PyPI?

Docs: https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/

Copy link
Collaborator Author

@kanterov kanterov Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pietern fixed, please take a look

permissions:
id-token: write

steps:
- name: Checkout repository and submodules
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
fetch-tags: true

- name: Install uv
uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
with:
version: "0.6.5"

- name: Build wheel
working-directory: experimental/python
run: make dist

- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
packages-dir: experimental/python/dist
Loading