Skip to content

CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (#61669) #61718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 23 commits into
base: main
Choose a base branch
from
+46 −3
Open

CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (#61669) #61718

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
a419d40
CI: add Trusted Publishing job to wheels workflow (#61669)
Jun 26, 2025
abda427
Remove obsolete standalone publish workflow
Jun 26, 2025
6e9027c
CI: fix wheel-workflow YAML, drop win-arm64
Jun 26, 2025
e3e583d
CI: set project name to evgmosme-pandas for TestPyPI
Jun 26, 2025
9f9013e
CI: temporarily shrink workflow matrix and add
Jun 26, 2025
4e4cc1e
CI: skip pyodide wheel on TestPyPI upload
Jun 26, 2025
d311ce4
Restore original wheels.yml from upstream/main
Jun 26, 2025
6360900
CI: skip win_arm64 for tests, add final publish block
Jun 26, 2025
c15c176
CI: final Trusted-Publishing workflow (PyPI ready)
Jun 26, 2025
0332486
Docs & CI: add publish-comment header; final PyPI configuration
Jun 27, 2025
c675826
DOC: add Build/CI trusted-publishing entry to v3.0.0 whatsnew (#61669)
Jun 27, 2025
3cac6a5
CI: restore project name 'pandas' in pyproject.toml
Jun 27, 2025
45291a7
CI: normalize line endings in wheels.yml (pre-commit)
Jun 27, 2025
da41c89
DOC: replace <PR_NUMBER> with 61718 in whatsnew
Jun 27, 2025
409dcb4
CI: restrict publish job to upstream repo and add skip-existing
Jun 27, 2025
50afff6
DOC: move Trusted-Publishing note to 'Other enhancements'
Jun 27, 2025
b94eb08
workflow: enable Test PyPI publish job
Jun 30, 2025
58cb179
CI: fix indentation in wheels.yml (publish job)
Jun 30, 2025
7359e1b
CI: trigger wheels workflow on GitHub release (add release:published)
Jun 30, 2025
f482759
Update .github/workflows/wheels.yml
EvMossan Jul 1, 2025
0aa892f
Update doc/source/development/maintaining.rst
EvMossan Jul 1, 2025
da3c281
Update doc/source/development/maintaining.rst
EvMossan Jul 1, 2025
ba4c3bd
Update doc/source/development/maintaining.rst
EvMossan Jul 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/wheels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
name: Wheel builder

on:
release:
types: [published]
Comment on lines +16 to +17
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@EpicWink you suggested to add this, but I am wondering if that is needed? As I understand, this wheels.yml workflow will run on the commit pushed to main with a tag, and so that way it will already run for a release? And we can then upload the wheels from that run?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A GitHub release publish happens after a push, allowing you to review the CI, and write release notes in the GitHub release, before triggering the publish to PyPI. Up to you how you want the release workflow to be, if you want to publish unconditionally.

schedule:
# 3:27 UTC every day
- cron: "27 3 * * *"
Expand Down Expand Up @@ -219,3 +221,42 @@ jobs:
source ci/upload_wheels.sh
set_upload_vars
upload_wheels
publish:
if: >
github.repository == 'pandas-dev/pandas' &&
github.event_name == 'release' &&
startsWith(github.ref, 'refs/tags/v')
needs:
- build_sdist
- build_wheels

runs-on: ubuntu-latest

environment:
name: pypi
permissions:
id-token: write # OIDC for Trusted Publishing
contents: read

steps:
- name: Download all artefacts
uses: actions/download-artifact@v4
with:
path: dist # everything lands in ./dist/**

- name: Collect files
run: |
mkdir -p upload
# skip any wheel that contains 'pyodide'
find dist -name '*pyodide*.whl' -prune -o \
-name '*.whl' -exec mv {} upload/ \;
find dist -name '*.tar.gz' -exec mv {} upload/ \;
- name: Publish to **PyPI** (Trusted Publishing)
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://upload.pypi.org/legacy/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line needed? (it's not included in the example in https://docs.pypi.org/trusted-publishers/using-a-publisher/)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not necessary, and as far as I know there's no recommendation to hard-code it. When the upload API 2.0 PEP lands, in site this URL and action will change anyway.

packages-dir: upload
skip-existing: true
7 changes: 4 additions & 3 deletions doc/source/development/maintaining.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,9 +445,10 @@ which will be triggered when the tag is pushed.
- Set as the latest release: Leave checked, unless releasing a patch release for an older version
(e.g. releasing 1.4.5 after 1.5 has been released)

5. Upload wheels to PyPI::

twine upload pandas/dist/pandas-<version>*.{whl,tar.gz} --skip-existing
5. Verify wheels are uploaded automatically by GitHub Actions
via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/)
via `**Trusted Publishing** <https://docs.pypi.org/trusted-publishers/>`__)

(this file is still in rst, not markdown)

when the GitHub [*Release*](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases)
is published. Do not run ``twine upload`` manually.

6. The GitHub release will after some hours trigger an
`automated conda-forge PR <https://github.com/conda-forge/pandas-feedstock/pulls>`_.
Expand Down
1 change: 1 addition & 0 deletions doc/source/whatsnew/v3.0.0.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ Other enhancements
- Support passing a :class:`Iterable[Hashable]` input to :meth:`DataFrame.drop_duplicates` (:issue:`59237`)
- Support reading Stata 102-format (Stata 1) dta files (:issue:`58978`)
- Support reading Stata 110-format (Stata 7) dta files (:issue:`47176`)
- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:`61718`)

.. ---------------------------------------------------------------------------
.. _whatsnew_300.notable_bug_fixes:
Expand Down
Loading