From d42a6aff819f3f04794980265ec2e7a4d3a25078 Mon Sep 17 00:00:00 2001 From: "Thomas S." Date: Mon, 16 Dec 2024 16:55:31 +0100 Subject: [PATCH] ci: Use release environment to publish python distributions (#945) The publication on PyPI is now more restricted than before: - only maintainers can publish to PyPI via tags, - the release request must be approved by a different maintainer. The `release` environment can't be reached by an opened PR, even with modifications on GHA. So that, only maintainers can publish to PyPI. --- ### Release sequence: 1. Creation of the tag (check for `rulesets` setting on GH) This step is restricted to maintainers. There is no constraint on the targeted branch. The status "ci-green" is required. 2. Deployment to the `release` environment (check for `environments` setting on GH) Only tags can trigger a deployment to the environment. For greater safety, one different maintainer must approve the workflow runs when they access this environment. 3. Publication to PyPI (check for `publication` setting on PyPI) Only events coming from `release` environment can trigger the PyPI publisher. Co-authored-by: Auguste Baum <52001167+augustebaum@users.noreply.github.com> --- .github/workflows/release.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2089d8ff1..f1f44d21f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,7 @@ jobs: publish: name: Publish package distributions to PyPI using trusted publisher runs-on: ubuntu-latest + environment: release permissions: id-token: write needs: build @@ -78,8 +79,13 @@ jobs: with: verify-metadata: false + communicate: + name: Communicate on slack about the new release + runs-on: ubuntu-latest + needs: publish + continue-on-error: true + steps: - name: Post to slack - continue-on-error: true uses: slackapi/slack-github-action@v2.0.0 with: channel-id: "product-releases"