ARROW-192 Add Trusted Publishing (#179)

blink1073 · web-flow · commit 3f381509955a · 2023-12-12T14:49:54.000-06:00
* ARROW-192 Add Trusted Publishing

* update release process

* fix codeowners
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,2 @@
 # Global owner for repo
-* @mongodb/dbx-python
+* @mongodb-labs/dbx-python
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
@@ -5,7 +5,6 @@ on:
     branches: ["main"]
     tags:
       - "**"
-  pull_request:
   workflow_dispatch:
 
 concurrency:
@@ -120,7 +119,7 @@ jobs:
           name: "sdist"
           path: ./bindings/python/dist/*.tar.gz
 
-  collect-dist:
+  collect_dist:
     runs-on: ubuntu-latest
     needs: [build_wheels, make_sdist]
     name: Download Wheels
@@ -134,5 +133,22 @@ jobs:
           find . -type d -empty -delete
       - uses: actions/upload-artifact@v3
         with:
-          name: all-dist
+          name: all-dist-${{ github.head_ref || github.ref_name }}
           path: "./*"
+
+  publish:
+    # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi
+    needs: [collect_dist]
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: all-dist-${{ github.head_ref || github.ref_name }}
+        path: dist/
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/bindings/python/RELEASE.rst b/bindings/python/RELEASE.rst
@@ -41,14 +41,11 @@ Release Process
      $ git push
      $ git push --tags
 
-#. Download the release assets from the "Python Wheels" Github Workflow, e.g.
-https://github.com/mongodb-labs/mongo-arrow/actions/runs/2060477840.
+#. Pushing a tag will trigger the release process on GitHub Actions that will require a member of the team
+   to authorize the deployment. Navigate to https://github.com/mongodb-labs/mongo-arrow/actions/workflows/release-python.yml
+   and wait for the publish to complete.
 
-#. Upload all the release packages to PyPI with twine::
-
-     $ python3 -m twine upload dist/*
-
-#. Make sure the new version appears on https://mongo-arrow.readthedocs.io/en/latest/. If the
+#. Make sure the new version appears on https://mongo-arrow.readthedocs.io/en/stable/. If the
    new version does not show up automatically, trigger a rebuild of "latest":
    https://readthedocs.org/projects/mongo-arrow/builds/
 
@@ -61,3 +58,6 @@ https://github.com/mongodb-labs/mongo-arrow/actions/runs/2060477840.
    The title should be "PyMongoArrow X.Y.Z", and the description should contain
    a link to the release notes on the the community forum, e.g.
    "Release notes: mongodb.com/community/forums/t/pymongoarrow-0-1-1-released/104574."
+
+#. Wait for automated update PR on conda-forge, e.g.:  https://github.com/conda-forge/pymongoarrow-feedstock/pull/24
+   Update dependencies if needed.

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`# Global owner for repo`
`2`		`-* @mongodb/dbx-python`
	`2`	`+* @mongodb-labs/dbx-python`