CI Auto-deploy wheel and source distribution to pypi on release #505
Description
When we make a tag or a release, we need to then upload something to pypi so people can install with pip install --upgrade serpentTools
It would be beneficial and more efficient if github could perform this automatically for us for new tags. There are a few things to consider
- Running specific github actions for tags, not pushes to main / pull requests - github docs might be helpful
- Build wheel with
pip wheel --no-deps .to createserpentTools-TAG-py3-none-any.whl - Upload that to
pypiusing twine
Some caveats / things to look out for
setuptools_scm
I'm not sure how the tag will get propagated into the action, and we need the tag to work with setuptools_scm version setting - #500. There's the ability to force a version with environment variables SETUPTOOLS_SCM_PRETEND_VERSION or SETUPTOOLS_SCM_PRETEND_VERSION_FOR_serpentTools. If one of these environment variables are present in the job, and set to the tag name (maybe exposed from github?) the wheel should have the correct version
pypi authentication
It's recommended to use api tokens to upload to pypi with twine. But, we must not expose this token in any file tracked in this repository. Otherwise, someone could pull the token and upload a fake version to pypi.
I think there's a way to do this with github actions secrets, where the api token for pypi could be added to the project (maybe via settings or security?) and then exposed to the action. Then, we could do something like
twine upload --username __token__ --password ${SERPENT_TOOLS_TWINE_API_TOKEN} serpentTools-0.11.0.whlthe .whl wheel file is a made up name, and same with the environment variable SERPENT_TOOLS_TWINE_API_TOKEN. But something like that could be exposed to the workflow.
We'd also want to make sure that that token is not exposed to any other jobs, nor printed in any jobs, so that it doesn't leak out.