Add trusted publishing (while using uv)

Author: CoMPaTech

.github/workflows/merge.yml

@@ -18,6 +18,9 @@ jobs:
   publishing:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+        id-token: write
     # Only trigger on merges, not just closes
     if: github.event.pull_request.merged == true
     steps:
@@ -28,16 +31,15 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ env.DEFAULT_PYTHON }}
-      - name: Install pypa/build
-        run: >-
-          python3 -m
-          pip install
-          build
-          --user
-      - name: Build a binary wheel and a source tarball
-        run: python3 -m build
+      - name: Prepare uv
+        run: |
+          pip install uv
+          uv venv --seed venv
+      - name: Build
+        run: |
+          . venv/bin/activate
+          uv build 
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.pypi_token }}
-          skip-existing: true
+        run: |
+          . venv/bin/activate
+          uv publish 

.github/workflows/verify.yml

@@ -237,6 +237,9 @@ jobs:
   test-publishing:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
     runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+        id-token: write
     needs:
       - cache
       - prepare
@@ -245,29 +248,41 @@ jobs:
     steps:
       - name: Check out committed code
         uses: actions/checkout@v4
-      - name: Restore cached environment
-        id: cache-reuse
-        uses: plugwise/gh-actions/restore-venv@v1
-        with:
-          cache-key: ${{ needs.cache.outputs.cache-key }}
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          venv-dir: ${{ env.VENV }}
-          precommit-home: ${{ env.PRE_COMMIT_HOME }}
-      - name: Install pypa/build
+      - name: Prepare uv
         run: |
+          pip install uv
+          uv venv --seed venv
           . venv/bin/activate
-          uv pip install build
-      - name: Build a binary wheel and a source tarball
+          uv pip install toml
+      - name: Check for existing package on TestPyPI
+        id: check_package
         run: |
           . venv/bin/activate
-          python3 -m build
-      - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        continue-on-error: true
-        with:
-          password: ${{ secrets.testpypi_token }}
-          repository-url: https://test.pypi.org/legacy/
-          skip-existing: true
+          PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])")
+          PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])")
+
+          # Use jq to check for the version in the releases object
+          EXISTING_VERSIONS=$(curl -s "https://test.pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]')
+
+          echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION"
+
+          if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then
+            echo "Package version already exists. Skipping upload."
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+          else
+            echo "Package version does not exist. Proceeding with upload."
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Build
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv build
+      - name: Publish distribution 📦 to TestPyPI
+        if: steps.check_package.outputs.should_publish == 'true'
+        run: |
+          . venv/bin/activate
+          uv publish --publish-url https://test.pypi.org/legacy/
 
   complexity:
     name: Process test complexity

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Ongoing
+
+- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv)
+
 ## v1.7.7
 
 - Implement code quality improvements as suggested by SonarCloud via [#762](https://github.com/plugwise/python-plugwise/pull/762), [#763](https://github.com/plugwise/python-plugwise/pull/763), [#764](https://github.com/plugwise/python-plugwise/pull/764), and [#765](https://github.com/plugwise/python-plugwise/pull/765)