Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow publishing to pypi when tags are pushed #93

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+117 −0
Open

Allow publishing to pypi when tags are pushed #93

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
17e5f55
Create release-pypi.yml
GiacomoPope Feb 13, 2025
e7354d3
update token name
GiacomoPope Feb 13, 2025
f291af7
information into pyproject
GiacomoPope Feb 13, 2025
2c1f4cf
Update pyproject.toml
GiacomoPope Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions .github/workflows/release-pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
name: publish kyber-py to pypi

on: push

jobs:
build:
name: Build distribution
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install pypa/build
run: >-
python3 -m
pip install
build
--user
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/

publish-to-pypi:
name: >-
Publish Python distribution to PyPI
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's newer syntax available now:

Suggested change
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
if: github.ref_type == 'tag' # only publish to PyPI on tag pushes

needs:
- build
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/kyber-py
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

github-release:
name: >-
Sign the Python distribution with Sigstore
and upload them to GitHub Release
needs:
- publish-to-pypi
runs-on: ubuntu-latest

permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PyPI?

run: >-
gh release create
"$GITHUB_REF_NAME"
--repo "$GITHUB_REPOSITORY"
--notes ""
- name: Upload artifact signatures to GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PyPI? Did you mean

Suggested change
GITHUB_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
GITHUB_TOKEN: ${{ github.token }}

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just using the API secret from pypi and the above is the name I gave it?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GiacomoPope the above PYPI_API_TOKEN string is the name of the secret in the repo settings, yes. Passing it to GH CLI will make it incapable of making API calls to GH because for GH API, it's invalid. GitHub token has nothing to do with PyPI. ${{ github.token }} contains an automatically assigned token that exists @ GHA.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So do I need to add the API token elsewhere, or is having secrets.PYPI_API_TOKEN populated enough to have gthub.token use the right token?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, I have this:

kyber-py/.github/workflows/ci.yml

Line 183 in 7b1c1b2

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
for the coveralls API token

Copy link

@webknjaz webknjaz Feb 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

${{ github.token }} is the same as ${{ secrets.GITHUB_TOKEN }}. You can use one of these. It holds a short-lived GH API token with privileges restricted by the permissions: setting + a couple of other things (like what's the triggering effect and whether the env is considered trusted). There's a few differences from the installation access tokens one would get via regular GitHub Apps but those are not important in this context.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and what you linked is not a coveralls API token. It's a GitHub token that you happen to expose to the coveralls program.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right... I think I'm confusing myself.

Last time I did a Pypi package I used Maturin and included

MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}

So I thought I needed the same here. My main question now is if I'm setting up a GitHub API token how to a properly link this to the Pypi API token I have generated.

Sorry for ignorance on my behalf. I'm really a mathematician pretending I know how to code haha

# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
"$GITHUB_REF_NAME" dist/**
--repo "$GITHUB_REPOSITORY"
22 changes: 22 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,25 @@
[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"

[project]
name = "kyber-py"
version = "1.0.0"
requires-python = ">=3.9"
description = "A pure python implementation of ML-KEM (FIPS 203)"
readme = "README.md"
classifiers = [
"Topic :: Security :: Cryptography",
"Programming Language :: Python :: 3",
"License :: OSI Approved :: MIT License",
]
license = "MIT"
license-files = ["LICEN[CS]E*"]

[project.urls]
Homepage = "https://github.com/GiacomoPope/kyber-py"
Issues = "https://github.com/GiacomoPope/kyber-py/issues"

[tool.black]
line-length = 79

Expand Down