You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
msgid "This guide relies on PyPI's `trusted publishing`_ implementation to connect to `GitHub Actions CI/CD`_. This is recommended for security reasons, since the generated tokens are created for each of your projects individually and expire automatically. Otherwise, you'll need to generate an `API token`_ for both PyPI and TestPyPI. In case of publishing to third-party indexes like :doc:`devpi <devpi:index>`, you may need to provide a username/password combination."
5674
+
msgid "This guide relies on PyPI's `Trusted Publishing`_ implementation to connect to `GitHub Actions CI/CD`_. This is recommended for security reasons, since the generated tokens are created for each of your projects individually and expire automatically. Otherwise, you'll need to generate an `API token`_ for both PyPI and TestPyPI. In case of publishing to third-party indexes like :doc:`devpi <devpi:index>`, you may need to provide a username/password combination."
msgid "Since this guide will demonstrate uploading to both PyPI and TestPyPI, we'll need two trusted publishers configured. The following steps will lead you through creating the \"pending\" publishers for your new :term:`PyPI project <Project>`. However it is also possible to add `trusted publishing`_ to any pre-existing project, if you are its owner."
5678
+
msgid "Since this guide will demonstrate uploading to both PyPI and TestPyPI, we'll need two trusted publishers configured. The following steps will lead you through creating the \"pending\" publishers for your new :term:`PyPI project <Project>`. However it is also possible to add `Trusted Publishing`_ to any pre-existing project, if you are its owner."
msgid "Now, let's add initial setup for our job that will publish to PyPI. It's a process that will execute commands that we'll define later. In this guide, we'll use the latest stable Ubuntu LTS version provided by GitHub Actions. This also defines a GitHub Environment for the job to run in its context and a URL to be displayed in GitHub's UI nicely. Additionally, it allows acquiring an OpenID Connect token that the ``pypi-publish`` actions needs to implement secretless trusted publishing to PyPI."
5754
+
msgid "Now, let's add initial setup for our job that will publish to PyPI. It's a process that will execute commands that we'll define later. In this guide, we'll use the latest stable Ubuntu LTS version provided by GitHub Actions. This also defines a GitHub Environment for the job to run in its context and a URL to be displayed in GitHub's UI nicely. Additionally, it allows acquiring an OpenID Connect token that the ``pypi-publish`` actions needs to implement secretless Trusted Publishing to PyPI."
msgid "This step uses the `pypa/gh-action-pypi-publish`_ GitHub Action: after the stored distribution package has been downloaded by the `download-artifact`_ action, it uploads the contents of the ``dist/`` folder into PyPI unconditionally."
msgid "Starting with version `v1.11.0 <https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0>`_, `pypa/gh-action-pypi-publish`_ generates and uploads :pep:`740`-compatible attestations for each distribution by default. No additional manual signing steps are required."
msgid "The following job signs the distribution packages with `Sigstore`_, the same artifact signing system `used to sign CPython <https://www.python.org/download/sigstore/>`_."
msgid "Firstly, it uses the `sigstore/gh-action-sigstore-python GitHub Action`_ to sign the distribution packages. In the next step, an empty GitHub Release from the current tag is created using the ``gh`` CLI. Note this step can be further customised. See the `gh release documentation <https://cli.github.com/manual/gh_release>`_ as a reference."
msgid "You may need to manage your ``GITHUB_TOKEN`` permissions to enable creating the GitHub Release. See the `GitHub documentation <https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions>`_ for instructions. Specifically, the token needs the ``contents: write`` permission."
msgid "This is a replacement for GPG signatures, for which support has been `removed from PyPI <https://blog.pypi.org/posts/2023-05-23-removing-pgp/>`_. However, this job is not mandatory for uploading to PyPI and can be omitted."
msgid "Requiring manual approvals in the ``testpypi`` GitHub Environment is typically unnecessary as it's designed to run on each commit to the main branch and is often used to indicate a healthy release publishing pipeline."
msgid "Now, whenever you push a tagged commit to your Git repository remote on GitHub, this workflow will publish it to PyPI. And it'll publish any push to TestPyPI which is useful for providing test builds to your alpha users as well as making sure that your release pipeline remains healthy!"
msgid "If your repository has frequent commit activity and every push is uploaded to TestPyPI as described, the project might exceed the `PyPI project size limit <https://pypi.org/help/#project-size-limit>`_. The limit could be increased, but a better solution may constitute to use a PyPI-compatible server like :ref:`pypiserver` in the CI for testing purposes."
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments