Add GitHub Actions workflow for Python package publishing #2545
Conversation
This workflow automates the process of uploading a Python package to PyPI when a release is created. It includes steps for building the package and publishing it.
microsoft-github-policy-service
bot
added
the
Needs: Triage 🔍
There was a problem hiding this comment.
Pull request overview
This PR adds a GitHub Actions workflow for automated Python package publishing to PyPI when releases are created. However, the workflow appears to be incompatible with the repository's current structure and purpose.
Changes:
- Added
.github/workflows/python-publish.ymlwith a two-job workflow for building and publishing Python packages to PyPI using trusted publishing
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Build release distributions | ||
| run: | | ||
| # NOTE: put your own distribution build steps here. | ||
| python -m pip install build | ||
| python -m build | ||
|
|
||
| - name: Upload distributions | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: release-dists | ||
| path: dist/ | ||
|
|
||
| pypi-publish: | ||
| runs-on: ubuntu-latest | ||
| needs: | ||
| - release-build | ||
| permissions: | ||
| # IMPORTANT: this permission is mandatory for trusted publishing | ||
| id-token: write | ||
|
|
||
| # Dedicated environments with protections for publishing are strongly recommended. | ||
| # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules | ||
| environment: | ||
| name: pypi | ||
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | ||
| # url: https://pypi.org/p/YOURPROJECT | ||
| # | ||
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | ||
| # ALTERNATIVE: exactly, uncomment the following line instead: | ||
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} | ||
|
|
||
| steps: | ||
| - name: Retrieve release distributions | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: release-dists | ||
| path: dist/ | ||
|
|
||
| - name: Publish release distributions to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| with: | ||
| packages-dir: dist/ |
There was a problem hiding this comment.
This workflow appears to be incompatible with the repository's purpose and structure. The Azure Verified Modules repository is primarily focused on Bicep and Terraform IaC modules, not Python packages. The repository contains only one Python utility script (utilities/tools/platform/Parse-WAF-Security-Recommendations.py) and lacks the necessary Python packaging infrastructure such as pyproject.toml, setup.py, or init.py files required for the build step (line 33: python -m build) to function properly. Adding this workflow without the corresponding package configuration will cause failures when releases are published.
| - name: Build release distributions | |
| run: | | |
| # NOTE: put your own distribution build steps here. | |
| python -m pip install build | |
| python -m build | |
| - name: Upload distributions | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: release-dists | |
| path: dist/ | |
| pypi-publish: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - release-build | |
| permissions: | |
| # IMPORTANT: this permission is mandatory for trusted publishing | |
| id-token: write | |
| # Dedicated environments with protections for publishing are strongly recommended. | |
| # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules | |
| environment: | |
| name: pypi | |
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | |
| # url: https://pypi.org/p/YOURPROJECT | |
| # | |
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | |
| # ALTERNATIVE: exactly, uncomment the following line instead: | |
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} | |
| steps: | |
| - name: Retrieve release distributions | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: release-dists | |
| path: dist/ | |
| - name: Publish release distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| packages-dir: dist/ | |
| - name: Validate Python files | |
| run: | | |
| # Validate that all Python files in the repository are syntactically correct. | |
| python -m compileall -q . |
|
|
||
| - name: Build release distributions | ||
| run: | | ||
| # NOTE: put your own distribution build steps here. |
There was a problem hiding this comment.
This placeholder comment needs to be removed or replaced with actual project-specific build steps. The current implementation only shows the default template instructions which indicates incomplete configuration.
| # NOTE: put your own distribution build steps here. |
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | ||
| # url: https://pypi.org/p/YOURPROJECT | ||
| # | ||
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | ||
| # ALTERNATIVE: exactly, uncomment the following line instead: | ||
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} |
There was a problem hiding this comment.
The placeholder comments for YOURPROJECT need to be replaced with the actual PyPI project name, or these lines should be removed if the project URL is not being configured. Leaving placeholder values in production workflows can cause confusion.
| # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status: | |
| # url: https://pypi.org/p/YOURPROJECT | |
| # | |
| # ALTERNATIVE: if your GitHub Release name is the PyPI project version string | |
| # ALTERNATIVE: exactly, uncomment the following line instead: | |
| # url: https://pypi.org/project/YOURPROJECT/${{ github.event.release.name }} |
| # Dedicated environments with protections for publishing are strongly recommended. | ||
| # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules | ||
| environment: | ||
| name: pypi |
There was a problem hiding this comment.
The pypi environment must be properly configured in the GitHub repository settings with trusted publishing credentials before this workflow can successfully publish to PyPI. Without this configuration, the workflow will fail at the publishing step. Consider adding documentation or validation to ensure the environment is configured.
| name: pypi | |
| name: pypi | |
| # NOTE: Ensure that an environment named "pypi" is configured in your repository settings | |
| # NOTE: and linked to your PyPI project via trusted publishing before using this workflow. | |
| # NOTE: See https://docs.pypi.org/trusted-publishers/ and the PyPI project settings page | |
| # NOTE: to add this GitHub repository as a trusted publisher for your project. |
2 participants
This workflow automates the process of uploading a Python package to PyPI when a release is created. It includes steps for building the package and publishing it.
Overview/Summary
Replace this with a brief description of what this Pull Request fixes, changes, etc.
This PR fixes/adds/changes/removes
Breaking Changes
As part of this Pull Request I have
mainbranch