Add GitHub action to automatically publish to PyPI #43
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
agriyakhetarpal
suggested changes
Dec 2, 2025
Comment on lines
135
to
139
| # TODO: get zizmor to pass, and maybe set it up as a github action | ||
| # - repo: https://github.com/woodruffw/zizmor-pre-commit | ||
| # rev: v1.11.0 | ||
| # rev: v1.18.0 | ||
| # hooks: | ||
| # - id: zizmor |
Member
There was a problem hiding this comment.
I know that this is outside the scope of setting up a publishing action, but I wanted to note that this is a TODO lying around outside the diff of this PR, and it'll help secure the publishing process when resolved. So it might make sense to resolve this here itself.
A pre-commit hook is better than an action here, as it'll run in the pre-commit checks job, and you'd avoid adding another action this way.
Comment on lines
+9
to
+11
| permissions: | ||
| contents: read | ||
|
|
Member
There was a problem hiding this comment.
These permissions can go down into the context of the job, and then this can simply be:
Suggested change
| permissions: | |
| contents: read | |
| permissions: {} |
so that the permissions are more granularly divided/scoped.
Comment on lines
+11
to
+12
| permissions: | ||
| contents: read |
Member
There was a problem hiding this comment.
Same as above:
Suggested change
| permissions: | |
| contents: read | |
| permissions: {} |
Comment on lines
+15
to
+19
| build-artifacts: | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| shell: bash -l {0} |
Member
There was a problem hiding this comment.
Suggested change
| build-artifacts: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash -l {0} | |
| build-artifacts: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash -l {0} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #22.
This uses Trusted Publishing, which needs set up on PyPI and GitHub, which I believe currently needs done by e.g. @stefanv or @jarrodmillman. (Alternatively, I could be added and/or given permission to do this--I have no preference).
Feel free to suggest or update the
if:condition for when to upload, as this should probably be done by the release manager and closely match the release process.Note that I identified two GitHub environments:
test-pypiandpypi.I also updated pre-commit hooks, and made a few changes to make Zizmor pre-commit a little more happy.
Finally, I think it would be nice to upload a release to PyPI, since we are technically name-squatting and could lose it no PyPI without notice. I would do a pre-release first to test the GitHub action.