pypi-publish/README.md

# PyPI publish GitHub Action
This action allows you to upload your [Python distribution packages]
in the `dist/` directory to PyPI.
This text suggests a minimalistic usage overview. For more detailed
walkthrough check out the [PyPA guide].


## Usage

To use the action add the following step to your workflow file (e.g.
`.github/workflows/main.yml`)


```yml
- name: Publish a Python distribution to PyPI
  uses: pypa/gh-action-pypi-publish@master
  with:
    user: __token__
    password: ${{ secrets.pypi_password }}
```

> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
Actions that you use to tagged versions or sha1 commit identifiers. This will
make your workflows more secure and better reproducible, saving you from sudden
and unpleasant surprises.

A common use case is to upload packages only on a tagged commit, to do so add a
filter to the step:


```yml
  if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
```

So the full step would look like:


```yml
- name: Publish package
  if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
  uses: pypa/gh-action-pypi-publish@master
  with:
    user: __token__
    password: ${{ secrets.pypi_password }}
```

The example above uses the new [API token][PyPI API token] feature of
PyPI, which is recommended to restrict the access the action has.

The secret used in `${{ secrets.pypi_password }}` needs to be created on the
settings page of your project on GitHub. See [Creating & using secrets].


## Non-goals

This GitHub Action [has nothing to do with _building package
distributions_]. Users are responsible for preparing dists for upload
by putting them into the `dist/` folder prior to running this Action.


## Advanced release management

For best results, figure out what kind of workflow fits your
project's specific needs.

For example, you could implement a parallel workflow that
pushes every commit to TestPyPI or your own index server,
like `devpi`. For this, you'd need to (1) specify a custom
`repository_url` value and (2) generate a unique version
number for each upload so that they'd not create a conflict.
The latter is possible if you use `setuptools_scm` package but
you could also invent your own solution based on the distance
to the latest tagged commit.

You'll need to create another token for a separate host and then
[save it as a GitHub repo secret][Creating & using secrets].

The action invocation in this case would look like:
```yml
- name: Publish package to TestPyPI
  uses: pypa/gh-action-pypi-publish@master
  with:
    user: __token__
    password: ${{ secrets.test_pypi_password }}
    repository_url: https://test.pypi.org/legacy/
```

### Customizing target package dists directory

You can change the default target directory of `dist/`
to any directory of your liking. The action invocation
would now look like:

```yml
- name: Publish package to PyPI
  uses: pypa/gh-action-pypi-publish@master
  with:
    user: __token__
    password: ${{ secrets.pypi_password }}
    packages_dir: custom-dir/
```

### Disabling metadata verification

It is recommended that you run `twine check` just after producing your files,
but this also runs `twine check` before upload. You can also disable the twine
check with:

```yml
   with:
     verify_metadata: false
```

### Tolerating release package file duplicates

Sometimes, when you publish releases from multiple places, your workflow
may hit race conditions. For example, when publishing from multiple CIs
or even having workflows with the same steps triggered withing GitHub
Actions CI/CD for different events concerning the same high-level act.

To facilitate this use-case, you may use `skip_existing` (disabled by
default) setting as follows:

```yml
   with:
     skip_existing: true
```

> **Pro tip**: try to avoid enabling this setting where possible. If you
have steps for publishing to both PyPI and TestPyPI, consider only using
it for the latter, having the former fail loudly on duplicates.

## License

The Dockerfile and associated scripts and documentation in this project
are released under the [BSD 3-clause license](LICENSE.md).


[Creating & using secrets]:
https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
[has nothing to do with _building package distributions_]:
https://github.com/pypa/gh-action-pypi-publish/issues/11#issuecomment-530480449
[PyPA guide]:
https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
[PyPI API token]: https://pypi.org/help/#apitoken
[Python distribution packages]:
https://packaging.python.org/glossary/#term-distribution-package
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00			`# PyPI publish GitHub Action`
Use detached link syntax in README 2020-06-03 11:53:04 -04:00			`This action allows you to upload your [Python distribution packages]`
Indicate clearly what is being uploaded. 2019-11-26 16:07:42 -05:00			in the `dist/` directory to PyPI.
Add a link to the PyPA guide 2019-09-27 07:37:19 -04:00			`This text suggests a minimalistic usage overview. For more detailed`
			`walkthrough check out the [PyPA guide].`
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00

			`## Usage`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00
Typos and brevity 2019-09-16 07:01:16 -04:00			`To use the action add the following step to your workflow file (e.g.`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			`.github/workflows/main.yml`)


			```yml
			`- name: Publish a Python distribution to PyPI`
Fix pypa org refs in README 2019-08-23 07:20:45 -04:00			`uses: pypa/gh-action-pypi-publish@master`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			`with:`
			`user: __token__`
			`password: ${{ secrets.pypi_password }}`
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00			```

Add a README recommendation to pin action versions 2019-09-24 17:03:49 -04:00			> Pro tip: instead of using branch pointers, like `master`, pin versions of
			`Actions that you use to tagged versions or sha1 commit identifiers. This will`
			`make your workflows more secure and better reproducible, saving you from sudden`
			`and unpleasant surprises.`

Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			`A common use case is to upload packages only on a tagged commit, to do so add a`
			`filter to the step:`
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00

Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			```yml
Replace `github.ref` -> `github.event.ref` README Resolves #31 2020-06-03 11:49:53 -04:00			`if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			```

			`So the full step would look like:`


			```yml
			`- name: Publish package`
Replace `github.ref` -> `github.event.ref` README Resolves #31 2020-06-03 11:49:53 -04:00			`if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')`
Fix pypa org refs in README 2019-08-23 07:20:45 -04:00			`uses: pypa/gh-action-pypi-publish@master`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			`with:`
			`user: __token__`
Fix PyPI pwd secret ref inconsistency in REDAME 2019-08-23 07:19:24 -04:00			`password: ${{ secrets.pypi_password }}`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00			```

Use detached link syntax in README 2020-06-03 11:53:04 -04:00			`The example above uses the new [API token][PyPI API token] feature of`
			`PyPI, which is recommended to restrict the access the action has.`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00
Wrap lines in README to fit 80 chars 2019-09-24 17:04:57 -04:00			The secret used in `${{ secrets.pypi_password }}` needs to be created on the
			`settings page of your project on GitHub. See [Creating & using secrets].`
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00

Add a Non-goals section to the README 2019-09-12 08:06:55 -04:00			`## Non-goals`

			`This GitHub Action [has nothing to do with _building package`
			`distributions_]. Users are responsible for preparing dists for upload`
			by putting them into the `dist/` folder prior to running this Action.


Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`## Advanced release management`

			`For best results, figure out what kind of workflow fits your`
			`project's specific needs.`
Typos and brevity 2019-09-16 07:01:16 -04:00
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`For example, you could implement a parallel workflow that`
Test PyPI -> TestPyPI 2019-09-19 04:04:14 -04:00			`pushes every commit to TestPyPI or your own index server,`
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			like `devpi`. For this, you'd need to (1) specify a custom
			`repository_url` value and (2) generate a unique version
			`number for each upload so that they'd not create a conflict.`
Typos and brevity 2019-09-16 07:01:16 -04:00			The latter is possible if you use `setuptools_scm` package but
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`you could also invent your own solution based on the distance`
			`to the latest tagged commit.`

Typos and brevity 2019-09-16 07:01:16 -04:00			`You'll need to create another token for a separate host and then`
			`[save it as a GitHub repo secret][Creating & using secrets].`
Rename a Test PyPI secret 2019-09-15 09:24:35 -04:00
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`The action invocation in this case would look like:`
			```yml
Test PyPI -> TestPyPI 2019-09-19 04:04:14 -04:00			`- name: Publish package to TestPyPI`
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`uses: pypa/gh-action-pypi-publish@master`
			`with:`
			`user: __token__`
Rename a Test PyPI secret 2019-09-15 09:24:35 -04:00			`password: ${{ secrets.test_pypi_password }}`
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00			`repository_url: https://test.pypi.org/legacy/`
			```

Reword `package-dir` example title in README 2019-12-06 07:44:40 -05:00			`### Customizing target package dists directory`
Custom dist 2019-12-05 18:25:02 -05:00
			You can change the default target directory of `dist/`
			`to any directory of your liking. The action invocation`
			`would now look like:`

			```yml
Use a regular PyPI in the custom dist dir example 2019-12-06 07:42:24 -05:00			`- name: Publish package to PyPI`
Custom dist 2019-12-05 18:25:02 -05:00			`uses: pypa/gh-action-pypi-publish@master`
			`with:`
			`user: __token__`
Use a regular PyPI in the custom dist dir example 2019-12-06 07:42:24 -05:00			`password: ${{ secrets.pypi_password }}`
Fix typo in inputs d7872a6165 changed the name of an input from `dist` to `packages-dir`, but unfortunately it looks like GitHub actions expect underscores rather than dashes, so deploys are currently broken with the following errors: ``` Run pypa/gh-action-pypi-publish@master with: user: __token__ password: *** packages-dir: dist env: pythonLocation: /opt/hostedtoolcache/Python/3.8.0/x64 /usr/bin/docker run --name [...] -e INPUT_PACKAGES-DIR [...] /app/twine-upload.sh: line 22: INPUT_PACKAGES_DIR: unbound variable This patch replaces the dash with an underscore. Resolves #20 2019-12-06 18:09:41 -05:00			`packages_dir: custom-dir/`
Custom dist 2019-12-05 18:25:02 -05:00			```
Mention ``repository_url`` in README 2019-09-15 03:16:54 -04:00
Use metadata_verify instead of check 2020-06-03 11:04:52 -04:00			`### Disabling metadata verification`
feat: Add twine check before upload #30 2020-06-02 11:08:43 -04:00
Use metadata_verify instead of check 2020-06-03 11:04:52 -04:00			It is recommended that you run `twine check` just after producing your files,
			but this also runs `twine check` before upload. You can also disable the twine
			`check with:`
feat: Add twine check before upload #30 2020-06-02 11:08:43 -04:00
			```yml
			`with:`
Use metadata_verify instead of check 2020-06-03 11:04:52 -04:00			`verify_metadata: false`
feat: Add twine check before upload #30 2020-06-02 11:08:43 -04:00			```

Expose `skip_existing` setting to the end-users 2020-06-19 15:30:53 -04:00			`### Tolerating release package file duplicates`

			`Sometimes, when you publish releases from multiple places, your workflow`
			`may hit race conditions. For example, when publishing from multiple CIs`
			`or even having workflows with the same steps triggered withing GitHub`
			`Actions CI/CD for different events concerning the same high-level act.`

			To facilitate this use-case, you may use `skip_existing` (disabled by
			`default) setting as follows:`

			```yml
			`with:`
			`skip_existing: true`
			```

			`> Pro tip: try to avoid enabling this setting where possible. If you`
			`have steps for publishing to both PyPI and TestPyPI, consider only using`
			`it for the latter, having the former fail loudly on duplicates.`

Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00			`## License`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00
Add a README for the GitHub Action 2019-03-27 15:58:36 -04:00			`The Dockerfile and associated scripts and documentation in this project`
📄 Update the license mention in README 2019-03-29 18:48:49 -04:00			`are released under the [BSD 3-clause license](LICENSE.md).`
Adapt to new yml based github actions Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua> Co-Authored-By: Pradyun Gedam <pradyunsg@gmail.com> 2019-08-20 16:48:52 -04:00

Wrap lines in README to fit 80 chars 2019-09-24 17:04:57 -04:00			`[Creating & using secrets]:`
Fix miss leading link creating & using secrets 2019-11-23 13:35:12 -05:00			`https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets`
Add a Non-goals section to the README 2019-09-12 08:06:55 -04:00			`[has nothing to do with _building package distributions_]:`
			`https://github.com/pypa/gh-action-pypi-publish/issues/11#issuecomment-530480449`
Add a link to the PyPA guide 2019-09-27 07:37:19 -04:00			`[PyPA guide]:`
			`https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/`
Use detached link syntax in README 2020-06-03 11:53:04 -04:00			`[PyPI API token]: https://pypi.org/help/#apitoken`
			`[Python distribution packages]:`
			`https://packaging.python.org/glossary/#term-distribution-package`