Skip to content

Commit

Permalink
ci: Use release environment to publish python distributions (probabl-…
Browse files Browse the repository at this point in the history
…ai#945)

The publication on PyPI is now more restricted than before:
- only maintainers can publish to PyPI via tags,
- the release request must be approved by a different maintainer.

The `release` environment can't be reached by an opened PR, even with
modifications on GHA. So that, only maintainers can publish to PyPI.

---

### Release sequence:

1. Creation of the tag (check for `rulesets` setting on GH)

    This step is restricted to maintainers.
    There is no constraint on the targeted branch.
    The status "ci-green" is required.

2. Deployment to the `release` environment (check for `environments`
setting on GH)

    Only tags can trigger a deployment to the environment. 
For greater safety, one different maintainer must approve the workflow
runs when they access this environment.

3. Publication to PyPI (check for `publication` setting on PyPI)

Only events coming from `release` environment can trigger the PyPI
publisher.

Co-authored-by: Auguste Baum <[email protected]>
  • Loading branch information
thomass-dev and augustebaum authored Dec 16, 2024
1 parent 53cb3c2 commit d42a6af
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ jobs:
publish:
name: Publish package distributions to PyPI using trusted publisher
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
needs: build
Expand All @@ -78,8 +79,13 @@ jobs:
with:
verify-metadata: false

communicate:
name: Communicate on slack about the new release
runs-on: ubuntu-latest
needs: publish
continue-on-error: true
steps:
- name: Post to slack
continue-on-error: true
uses: slackapi/[email protected]
with:
channel-id: "product-releases"
Expand Down

0 comments on commit d42a6af

Please sign in to comment.