c37b99ec5f
This change implements running dists verification before performing actual upload. It is controlled by the input called `verify_metadata` which is on by default. |
||
---|---|---|
.github | ||
.gitignore | ||
.yamllint | ||
action.yml | ||
Dockerfile | ||
LICENSE.md | ||
README.md | ||
twine-upload.sh |
PyPI publish GitHub Action
This action allows you to upload your Python distribution packages
in the dist/
directory to PyPI.
This text suggests a minimalistic usage overview. For more detailed
walkthrough check out the PyPA guide.
Usage
To use the action add the following step to your workflow file (e.g.
.github/workflows/main.yml
)
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.pypi_password }}
Pro tip: instead of using branch pointers, like
master
, pin versions of Actions that you use to tagged versions or sha1 commit identifiers. This will make your workflows more secure and better reproducible, saving you from sudden and unpleasant surprises.
A common use case is to upload packages only on a tagged commit, to do so add a filter to the step:
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
So the full step would look like:
- name: Publish package
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.pypi_password }}
The example above uses the new API token feature of PyPI, which is recommended to restrict the access the action has.
The secret used in ${{ secrets.pypi_password }}
needs to be created on the
settings page of your project on GitHub. See Creating & using secrets.
Non-goals
This GitHub Action has nothing to do with building package
distributions. Users are responsible for preparing dists for upload
by putting them into the dist/
folder prior to running this Action.
Advanced release management
For best results, figure out what kind of workflow fits your project's specific needs.
For example, you could implement a parallel workflow that
pushes every commit to TestPyPI or your own index server,
like devpi
. For this, you'd need to (1) specify a custom
repository_url
value and (2) generate a unique version
number for each upload so that they'd not create a conflict.
The latter is possible if you use setuptools_scm
package but
you could also invent your own solution based on the distance
to the latest tagged commit.
You'll need to create another token for a separate host and then save it as a GitHub repo secret.
The action invocation in this case would look like:
- name: Publish package to TestPyPI
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.test_pypi_password }}
repository_url: https://test.pypi.org/legacy/
Customizing target package dists directory
You can change the default target directory of dist/
to any directory of your liking. The action invocation
would now look like:
- name: Publish package to PyPI
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.pypi_password }}
packages_dir: custom-dir/
Disabling metadata verification
It is recommended that you run twine check
just after producing your files,
but this also runs twine check
before upload. You can also disable the twine
check with:
with:
verify_metadata: false
License
The Dockerfile and associated scripts and documentation in this project are released under the BSD 3-clause license.