Add PyPI publishing workflow (Trusted Publishing / OIDC)#4480
Open
LiliDeng wants to merge 2 commits into
Open
Conversation
- .github/workflows/publish.yml: tag-triggered build then publish via PyPI Trusted Publishing (OIDC); TestPyPI first, then PyPI gated by GitHub Environment reviewer approval. No tokens stored. - RELEASE.md: one-time bootstrap (pending publishers, GitHub environments, tag protection) plus per-release SOP and known limitations. - MANIFEST.in: prune lisa/ai/data; deeply nested log paths trigger Windows 260-char limit during sdist build.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions-based release pipeline for publishing the mslisa package to TestPyPI and PyPI using PyPI Trusted Publishing (OIDC), along with release runbook documentation and an sdist pruning tweak to avoid Windows path-length issues during local builds.
Changes:
- Introduce a tag-triggered
publish.ymlworkflow that builds artifacts, validates withtwine check, publishes to TestPyPI, then publishes to PyPI behind a GitHub Environment approval gate. - Add
RELEASE.mdwith bootstrap steps (pending publishers/environments/tag protection) and a per-release SOP. - Prune
lisa/ai/datafrom the sdist viaMANIFEST.into reduce deep-path issues on Windows.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
RELEASE.md |
Documents bootstrap + release SOP for Trusted Publishing and local dry-run guidance. |
MANIFEST.in |
Excludes lisa/ai/data from sdists to mitigate Windows path-length failures. |
.github/workflows/publish.yml |
Implements the build + TestPyPI + gated PyPI publish workflow using OIDC. |
| # Try installing into a fresh venv | ||
| py -3.12 -m venv C:\tmp\mslisa-local | ||
| $wheel = (Get-Item dist\mslisa-*.whl).FullName | ||
| & C:\tmp\mslisa-local\Scripts\python.exe -m pip install "$wheel[azure]" |
Comment on lines
+124
to
+130
| - **sdist build fails on Windows** because `setuptools_scm` includes every git- | ||
| tracked file (including deeply nested logs under `lisa/ai/data/...`) and the | ||
| resulting paths exceed Windows' 260-character limit. CI builds on Linux are | ||
| unaffected. The wheel is what users actually install. | ||
| - **`MANIFEST.in` `prune` rules don't apply** to files already tracked by git | ||
| when `setuptools_scm` is the file finder. To shrink the sdist, move | ||
| `lisa/ai/data/` out of git (git-lfs or a sibling repo). |
| prune .github | ||
| exclude .git* | ||
|
|
||
| # AI training data is large and not needed at runtime; exclude from sdist/wheel. |
Comment on lines
+14
to
+18
| on: | ||
| push: | ||
| tags: | ||
| # CalVer: e.g. 20260420.1, 20260420.2 | ||
| - "2[0-9][0-9][0-9][0-9][0-9][0-9][0-9].*" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add PyPI publishing infrastructure so end users can
pip install mslisa[azure].Changes
.github/workflows/publish.yml— tag-triggered (CalVerYYYYMMDD.N).Builds sdist + wheel on Linux, runs
twine check, publishes to TestPyPIfirst, then PyPI. Both publishes use PyPI Trusted Publishing (OIDC) —
no API tokens stored. Final PyPI push is gated by
pypiGitHubEnvironment reviewer approval.
RELEASE.md— one-time bootstrap (pending publishers, GitHubenvironments, tag protection) plus per-release SOP and known limitations.
MANIFEST.in—prune lisa/ai/data(deeply-nested log paths tripthe Windows 260-char limit during local
python -m build; Linux CI isunaffected).
Bootstrap status
mslisa(envpypi)mslisa(envtestpypi)pypi(with reviewers)and
testpypiin repo Settings → Environments2[0-9][0-9][0-9][0-9][0-9][0-9][0-9].*Verification
Smoketested end-to-end on a fork using a temporary package name
mslisa-lildeng-test:build,twine check, OIDC, TestPyPI publish, PyPI publish — all greenlisa --helpworksAfter merge, plan to push an RC tag (e.g.
YYYYMMDD.NrcN) to validate thefull pipeline against
microsoft/lisabefore the first real release.How users will install