feat: add GitHub trusted publishing for PyPI releases

jdrhyne · jdrhyne · commit 7724d3d02325 · 2025-07-03T14:12:05.000-04:00
- Update release workflow to use trusted publishing instead of API tokens
- Add workflow to publish existing tags (for v1.0.2)
- Add comprehensive release process documentation
- Include v1.0.2 release notes

This eliminates the need for PyPI API tokens and uses GitHub's OIDC
authentication for more secure and reliable releases.
diff --git a/.github/workflows/publish-existing-tag.yml b/.github/workflows/publish-existing-tag.yml
@@ -0,0 +1,41 @@
+name: Publish Existing Tag to PyPI
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to publish (e.g., v1.0.2)'
+        required: true
+        default: 'v1.0.2'
+
+jobs:
+  build-and-publish:
+    name: Build and Publish to PyPI
+    runs-on: ubuntu-latest
+    
+    # IMPORTANT: This permission is required for trusted publishing
+    permissions:
+      id-token: write
+    
+    steps:
+    - name: Checkout specific tag
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.inputs.tag }}
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
+    
+    - name: Install build dependencies
+      run: |
+        python -m pip install --upgrade pip
+        python -m pip install build
+    
+    - name: Build distribution
+      run: python -m build
+    
+    - name: Publish to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      # No need for username/password with trusted publishing!
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,11 +2,18 @@ name: Release
 
 on:
   release:
-    types: [created]
+    types: [published]  # Changed from 'created' to 'published' for better control
+  # Allow manual trigger
+  workflow_dispatch:
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    
+    # IMPORTANT: Required for trusted publishing
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
@@ -16,16 +23,14 @@ jobs:
       with:
         python-version: '3.12'
 
-    - name: Install dependencies
+    - name: Install build dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -e ".[dev]"
+        python -m pip install build
 
     - name: Build package
       run: python -m build
 
     - name: Publish to PyPI
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-      run: twine upload dist/*
+      uses: pypa/gh-action-pypi-publish@release/v1
+      # No API token needed with trusted publishing!
diff --git a/RELEASE_NOTES_v1.0.2.md b/RELEASE_NOTES_v1.0.2.md
@@ -0,0 +1,53 @@
+# v1.0.2 - Major Feature Release
+
+## What's Changed
+
+This release adds significant new functionality with 13 new Direct API methods and numerous stability improvements.
+
+### ✨ New Features
+
+#### Direct API Methods
+- `create_redactions_preset()` - Create redactions using predefined patterns (SSN, email, phone, etc.)
+- `create_redactions_regex()` - Create redactions using custom regex patterns
+- `create_redactions_text()` - Create redactions for specific text strings
+- `optimize_pdf()` - Optimize PDF file size and performance
+- `password_protect_pdf()` - Add password protection to PDFs
+- `set_pdf_metadata()` - Update PDF metadata (title, author)
+- `split_pdf()` - Split PDFs into multiple files based on page ranges
+- `duplicate_pdf_pages()` - Duplicate specific pages within a PDF
+- `delete_pdf_pages()` - Remove specific pages from a PDF
+- `add_page()` - Insert blank pages at specific positions
+- `apply_instant_json()` - Apply PSPDFKit Instant JSON annotations
+- `apply_xfdf()` - Apply XFDF annotations to PDFs
+- `set_page_label()` - Set custom page labels (Roman numerals, letters, etc.)
+
+#### Enhancements
+- 🖼️ Image file support for `watermark_pdf()` method - now accepts PNG/JPEG images as watermarks
+- 🧪 Improved CI/CD integration test strategy with better error reporting
+- 📈 Enhanced test coverage for all new Direct API methods
+
+### 🐛 Bug Fixes
+- Critical API compatibility issues in Direct API integration
+- Python 3.9 and 3.10 syntax compatibility across the codebase
+- Comprehensive CI failure resolution
+- Integration test fixes to match actual API behavior patterns
+- Ruff linting and formatting issues throughout the project
+- MyPy type checking errors and improved type annotations
+- Removed unsupported parameters from API calls
+- Fixed page range handling in split_pdf with proper defaults
+- Resolved runtime errors with isinstance union syntax
+- Updated test fixtures to use valid PNG images
+
+### 📋 Requirements
+- Python 3.10+ (maintained as per project design)
+- requests>=2.25.0,<3.0.0
+
+### 📦 Installation
+```bash
+pip install nutrient-dws==1.0.2
+```
+
+### 📚 Documentation
+See the [README](https://github.com/PSPDFKit/nutrient-dws-client-python#readme) for usage examples of the new features.
+
+**Full Changelog**: https://github.com/PSPDFKit/nutrient-dws-client-python/compare/v1.0.1...v1.0.2
diff --git a/RELEASE_PROCESS.md b/RELEASE_PROCESS.md
@@ -0,0 +1,66 @@
+# Release Process
+
+This document describes how to release a new version of nutrient-dws to PyPI using GitHub's trusted publishing.
+
+## Prerequisites
+
+1. PyPI account with maintainer access to nutrient-dws
+2. GitHub repository configured as a trusted publisher on PyPI
+3. Write access to the GitHub repository
+
+## Automatic Release Process (Recommended)
+
+### For New Releases
+
+1. Update version in `pyproject.toml`
+2. Update `CHANGELOG.md` with release notes
+3. Commit changes: `git commit -m "chore: prepare release v1.0.x"`
+4. Create and push tag: `git tag v1.0.x && git push origin v1.0.x`
+5. Create GitHub release:
+   - Go to https://github.com/PSPDFKit/nutrient-dws-client-python/releases/new
+   - Select the tag you just created
+   - Add release notes
+   - Click "Publish release"
+6. The `Release` workflow will automatically trigger and upload to PyPI
+
+### For Existing Tags (like v1.0.2)
+
+1. Go to Actions tab in GitHub
+2. Select "Publish Existing Tag to PyPI" workflow
+3. Click "Run workflow"
+4. Enter the tag name (e.g., `v1.0.2`)
+5. Click "Run workflow"
+6. Monitor the workflow progress
+
+## Manual Trigger
+
+You can also manually trigger the release workflow:
+1. Go to Actions tab
+2. Select "Release" workflow  
+3. Click "Run workflow"
+4. Select branch/tag and run
+
+## Verification
+
+After publishing:
+1. Check PyPI: https://pypi.org/project/nutrient-dws/
+2. Test installation: `pip install nutrient-dws==1.0.x`
+3. Verify the GitHub release page shows the release
+
+## Troubleshooting
+
+### Trusted Publisher Issues
+- Ensure the GitHub repository is configured as a trusted publisher on PyPI
+- Check that the workflow has `id-token: write` permission
+- Verify the PyPI project name matches exactly
+
+### Build Issues
+- Ensure `pyproject.toml` is valid
+- Check that all required files are present
+- Verify Python version compatibility
+
+## Security Notes
+
+- No API tokens or passwords are needed with trusted publishing
+- GitHub Actions uses OIDC to authenticate with PyPI
+- This is more secure than storing PyPI tokens as secrets
