Merge commit 'pull/origin/7'

.yamllint

@@ -0,0 +1,2 @@
+indentation:
+  indent-sequences: false

Dockerfile

@@ -4,17 +4,14 @@ LABEL "maintainer"="Sviatoslav Sydorenko <wk+re-actors@sydorenko.org.ua>"
 LABEL "repository"="https://github.com/re-actors/gh-action-pypi-publish"
 LABEL "homepage"="https://github.com/re-actors/gh-action-pypi-publish"
 
-LABEL "com.github.actions.name"="pypi-publish"
-LABEL "com.github.actions.description"="Upload Python distribution packages to PyPI"
-LABEL "com.github.actions.icon"="upload-cloud"
-LABEL "com.github.actions.color"="yellow"
-
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1
 
-ADD LICENSE.md /LICENSE.md
-
 RUN pip install --upgrade --no-cache-dir twine
 
-ENTRYPOINT ["twine"]
+WORKDIR /app
-CMD ["upload", "dist/*"]
+COPY LICENSE.md .
+COPY twine-upload.sh .
+
+RUN chmod +x twine-upload.sh
+ENTRYPOINT ["/app/twine-upload.sh"]

README.md

@@ -5,33 +5,50 @@ PyPI.
 
 
 ## Usage
-To use the action simply add the following lines in the end of your
-`.github/main.workflow`.
 
-```hcl
+To use the action add the following step to your workflow file (e.g.:
-action "Upload Python dist to PyPI" {
+`.github/workflows/main.yml`)
-  uses = "re-actors/pypi-action@master"
+
-  env = {
+
-    TWINE_USERNAME = "f'{your_project}-bot'"
+```yml
-  }
+- name: Publish a Python distribution to PyPI
-  secrets = ["TWINE_PASSWORD"]
+  uses: pypa/gh-action-pypi-publish@master
-}
+  with:
+    user: __token__
+    password: ${{ secrets.pypi_password }}
 ```
 
-N.B. Use a valid tag, or branch, or commit SHA instead
+A common use case is to upload packages only on a tagged commit, to do so add a
-of `master` to pin the action to use a specific version of it.
+filter to the step:
 
 
-### Environment Variables and Secrets
+```yml
-- **`TWINE_USERNAME`**: set this one to the username used to authenticate
+  if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
-against PyPI. _It is recommended to have a separate user account like
+```
-`f'{your_project}-bot'` having the lowest privileges possible on your
+
-target dist page._
+So the full step would look like:
-- **`TWINE_PASSWORD`**: it's a password for the account used in
+
-`TWINE_USERNAME` env var. **ATTENTION! WARNING! When adding this value
+
-to the Action node in your workflow, use SECRETS, not normal env vars.**
+```yml
+- name: Publish package
+  if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
+  uses: pypa/gh-action-pypi-publish@master
+  with:
+    user: __token__
+    password: ${{ secrets.pypi_password }}
+```
+
+The example above uses the new [API token](https://pypi.org/help/#apitoken)
+feature of PyPI, which is recommended to restrict the access the action has.
+
+The secret used in `${{ secrets.pypi_password }}` needs to be created on the settings
+page of your project on GitHub. See [Creating & using secrets].
 
 
 ## License
+
 The Dockerfile and associated scripts and documentation in this project
 are released under the [BSD 3-clause license](LICENSE.md).
+
+
+[Creating & using secrets]: https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables

action.yml

@@ -0,0 +1,24 @@
+---
+name: pypi-publish
+description: Upload Python distribution packages to PyPI
+inputs:
+  user:
+    description: PyPI user
+    required: false
+    default: __token__
+  password:
+    description: Password for your PyPI user or an access token
+    required: true
+  repository_url:
+    description: The repository URL to use
+    required: false
+branding:
+  color: yellow
+  icon: upload-cloud
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+  - ${{ inputs.user }}
+  - ${{ inputs.password }}
+  - ${{ inputs.repository_url }}

twine-upload.sh

@@ -0,0 +1,7 @@
+#! /usr/bin/env bash
+set -Eeuo pipefail
+
+TWINE_USERNAME="$INPUT_USER" \
+TWINE_PASSWORD="$INPUT_PASSWORD" \
+TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
+  exec twine upload dist/*