Merge pull request #286 from plugwise/tp

Migrate to Trusted Publishing (pypi)

Author: bouwew

.github/workflows/merge.yml

@@ -13,32 +13,52 @@ on:
     types: closed
     branches:
       - main
-      - async
 
 jobs:
   publishing:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read     # Required by actions/checkout
+      id-token: write    # Needed for OIDC-based Trusted Publishing
     # Only trigger on merges, not just closes
     if: github.event.pull_request.merged == true
     steps:
       - name: Check out committed code
         uses: actions/checkout@v4
-      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
-        id: python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-      - name: Install pypa/build
-        run: >-
-          python3 -m
-          pip install
-          build
-          --user
-      - name: Build a binary wheel and a source tarball
-        run: python3 -m build
+      - name: Prepare uv
+        run: |
+          pip install uv
+          uv venv --seed venv
+          . venv/bin/activate
+          uv pip install toml
+      - name: Check for existing package on PyPI
+        id: check_package
+        run: |
+          . venv/bin/activate
+          PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])")
+          PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])")
+
+          # Use jq to check for the version in the releases object
+          EXISTING_VERSIONS=$(curl -s "https://pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]')
+
+          echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION"
+
+          if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then
+            echo "Package version already exists. Skipping upload."
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+          else
+            echo "Package version does not exist. Proceeding with upload."
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Build
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv build
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.pypi_token }}
-          skip_existing: true
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv publish

.github/workflows/verify.yml

@@ -273,6 +273,10 @@ jobs:
   test-publishing:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
     runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      contents: read     # Required by actions/checkout
+      id-token: write    # Needed for OIDC-based Trusted Publishing
     needs:
       - cache
       - prepare
@@ -281,34 +285,41 @@ jobs:
     steps:
       - name: Check out committed code
         uses: actions/checkout@v4
-      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
-        id: python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-      - name: Create or reuse cache
-        id: cache-reuse
-        uses: ./.github/actions/restore-venv
-        with:
-          cache-key: ${{ needs.cache.outputs.cache-key }}
-          python-version: ${{ steps.python.outputs.python-version }}
-          venv-dir: ${{ env.VENV }}
-          precommit-home: ${{ env.PRE_COMMIT_HOME }}
-      - name: Install pypa/build
+      - name: Prepare uv
         run: |
+          pip install uv
+          uv venv --seed venv
           . venv/bin/activate
-          uv pip install build
-      - name: Build a binary wheel and a source tarball
+          uv pip install toml
+      - name: Check for existing package on TestPyPI
+        id: check_package
         run: |
           . venv/bin/activate
-          python3 -m build
-      - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        continue-on-error: true
-        with:
-          password: ${{ secrets.testpypi_token }}
-          repository_url: https://test.pypi.org/legacy/
-          skip_existing: true
+          PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])")
+          PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])")
+
+          # Use jq to check for the version in the releases object
+          EXISTING_VERSIONS=$(curl -s "https://test.pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]')
+
+          echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION"
+
+          if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then
+            echo "Package version already exists. Skipping upload."
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+          else
+            echo "Package version does not exist. Proceeding with upload."
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Build
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv build
+      - name: Publish distribution 📦 to TestPyPI
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv publish --publish-url https://test.pypi.org/legacy/
 
   complexity:
     name: Process test complexity

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Ongoing / v0.44.8a0
+
+- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) - released as alpha 0.44.8a0 to demonstrate functionality
+
 ## v0.44.7 - 2025-07-08
 
 - PR [282](https://github.com/plugwise/python-plugwise-usb/pull/282): Finalize switch implementation