Official GitHub Action for publishing to PyPI

Sure, will do

Hey folks,

I’ve been silent for a while and a few things have changed over time.
So here are a few updates:

• GitHub Actions CI/CD workflows syntax has been swapped with YAML (was HCL originally) and the Action has updated metadata for that now (action.yml file as opposed to LABELs in Dockerfile)
• Jobs are now executed in VMs, not containers; GNU/Linux, macOS and Windows are supported natively
• Additionally to using docker containers, it’s now possible to use JS that’ll be invoked in the context of job env, w/o any isolation AFAIU
• GitHub Actions will be generally available starting Nov 13, 2019
• A number of people have found the Action repo on their own, posted some feedback and even PRs
• I’ve submitted a PR (review pending) with a write-up on using this Action https://github.com/pypa/packaging.python.org/pull/647
• Warehouse now supports API tokens based auth which is recommended in README and that PR

Based on the above, it looks like after merging the packaging guide PR it’s a good time to finally publish this Action to GitHub Marketplace.

Great work on the progress! Were you able to complete the various action items? It seems like the security review would be important to complete before publishing, as well as automated tests (preferably including some higher-level ones, as close to end-to-end as possible).

@cjerdonek testing ecosystem is rather poor now, so I think it’s acceptable to introduce it after publishing. While I totally want it to be there, I see it as a thing that’s stopping the process right now. If we don’t proceed now, we may end up seeing hundreds of low-quality actions published by others in the Marketplace, and from what I saw most of the actions have nothing even remotely resembling tests.

As for the security review, what exactly do you expect? I’m thinking of a small paragraph having a few advices.

I was just thinking that a PyPA member other than yourself could review that aspect of the code since this will be published under the PyPA name.

Ah, sure. I’ll ask @pradyunsg then. But really there’s more metadata and README than what you call code at this stage (just pip install + twine invocation). I hope that in the future it’ll get wrapped with Python so that we’ll have some “real” code

Oh, in that case it should probably be a pretty quick review, then!

Haha.

I’d taken a look at the action a few weeks ago and didn’t really have any security related concerns. I’ll take another look today evening, but generally I don’t have major concerns here tbh.

Now that security review is done, nothing seems to block the publishing. The docs PR is in review and it’s even better if the Action gets published so that the Marketplace link could be included in that PR.

I’ll publish it soon once I have some time for this.

Here you go:

Got some interesting feedback: https://github.com/pypa/gh-action-pypi-publish/issues/15#issue-498844870.
Apparently, docker-based actions are only supported under GNU/Linux jobs.
I think, I don’t want to bring in JS runner so I’ll probably document a way of building dists in one jobs and transferring artifacts into the upload job that’ll run Ubuntu.

This is a good idea anyway, as it reduces the exposure of any secrets you need for uploading. It can also make it easier to do isolated testing of your built packages before publishing them.

Totally, that’s what I also try to prove to a certain other CI provider lately

FTR here’s some tweets by the GH Actions PM in replies to this thread: