pyvo icon indicating copy to clipboard operation
pyvo copied to clipboard
verified publisher icon astropy

Publish to PyPI using GitHub Actions

Open andamian opened this issue 5 years ago • 10 comments

The creation of a release in GitHub could be used to also publish a new release to PyPI. Either add a new job to the existing Actions flow or create a new flow all together. The credentials should be available from astropy organization.

andamian avatar Dec 09 '20 15:12 andamian

This is split from #244.

@astrofrog and @Cadair please feel free to comment on the idea. Thanks

andamian avatar Dec 09 '20 15:12 andamian

@saimn had success using Actions for PyPI release. You can see example in https://github.com/astropy/pytest-doctestplus/blob/master/.github/workflows/publish.yml . He did need to work with some admins for the necessary keys. In your case, you need to contact one of the people listed under Maintainers in https://pypi.org/project/pyvo/ .

pllim avatar Jan 13 '21 16:01 pllim

I'll have a look. Thanks @pllim

andamian avatar Jan 13 '21 18:01 andamian

I feel like #228 bumped the priority of this ticket a bit higher. @saimn - is your publishing GH Actions working well? Would you recommend it for PyVO?

@eteq and others - Does the astropy organization have an account on pypi? If it does, it can allow PyVO to inherit the credentials in GH and use them to publish. The advantage is that the main organization can control that account and refresh the tokens periodically. That should make it more secure than relying on a bunch of maintainer accounts. Have you done with other projects or thought of this?

andamian avatar Jun 08 '21 18:06 andamian

@bsipocz - I must admit I have no clue about the installation to conda. Can this be automated with GH Actions too?

andamian avatar Jun 08 '21 18:06 andamian

conda-forge is picking up releases automatically, once a new version is uploaded to PyPI. So no need to do anything from the pyvo side (except of course merge the conda-forge PR once it's all green and all version dependencies are updated).

bsipocz avatar Jun 08 '21 18:06 bsipocz

We used it only once or twice but yes it worked well. You just need to setup the PyPI API token once.

saimn avatar Jun 08 '21 19:06 saimn

You just need to setup the PyPI API token once.

Until something gets hacked, then you have refresh it. 😆

pllim avatar Jun 08 '21 20:06 pllim

You just need to setup the PyPI API token once.

Until something gets hacked, then you have refresh it. 😆

You can be pro-active and refresh it periodically. It's easier to control and do that using one organization account.

andamian avatar Jun 08 '21 21:06 andamian

Note: make sure the wheel file is also published (#228)

andamian avatar Jun 08 '21 23:06 andamian