ci: fix warnings and improve publish-python github workflow#41
ci: fix warnings and improve publish-python github workflow#41mg-twentyone wants to merge 1 commit into
Conversation
|
Thanks for this! I'll need to make sure I understand how the new PyPI stuff works and the credentials and all but if it's all good then it should be a nice upgrade to our publishing flow. |
|
Feel free to reach me if you need further information or details. |
thunderbiscuit
left a comment
thunderbiscuit
left a comment
There was a problem hiding this comment.
Just a few questions!
Also this one needs a rebase now.
| on: [workflow_dispatch] | ||
| env: | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | ||
| PIP_NO_CACHE_DIR: "1" |
There was a problem hiding this comment.
Is that only for pip, or does it also affect uv? Wondering if we need it (Claude thinks we don't but it also had wrong ideas about the non-existence of the artifact-metadata permission, which totally exists 😆. You also already disable the cache on the astral-sh/setup-uv@v7 action below, so I think that's covered.
| id-token: write | ||
| contents: read | ||
| attestations: write | ||
| artifact-metadata: write |
There was a problem hiding this comment.
Apparently (according to Claude at least), this is not mentioned in the PyPI documentation, and only the id-token, contents, and attestations permissions are required. Do you have it there for a specific reason or do you mind trying without?
| # - name: "Publish on test PyPI" | ||
| # uses: pypa/gh-action-pypi-publish@release/v1 | ||
| # with: | ||
| # user: __token__ | ||
| # password: ${{ secrets.TEST_PYPI_API_TOKEN }} | ||
| # repository_url: https://test.pypi.org/legacy/ | ||
| # packages_dir: dist/*/ | ||
| # repository-url: https://test.pypi.org/legacy/ | ||
| # packages-dir: dist/ |
There was a problem hiding this comment.
Let's just remove those while we're here. We've never used test PyPI and I don't know that we will in the near future.
3 participants
Description
This PR transitions the pypi deployment workflow to a fully modern, warning-free configuration optimized for current GitHub Actions standards.
It upgrades to trusted publishing (OIDC) authentication, clears Node.js deprecation warnings (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), and ensures robust artifact management across a multi-platform compilation matrix.
Fixes #38
Notes to the reviewers
Key updates implemented in the .github/workflows/publish-python.yaml workflow:
Trusted Publishing Activation: Migrated the deployment step away from insecure API tokens (user: token) to modern OIDC (OpenID Connect) Trusted Publishing using the pypi environment, explicit id-token: write permissions, and automated SLSA provenance attestations (artifact-metadata: write).
Node.js Runner Upgrade: Bumped all core workflow dependencies (actions/checkout@v6, actions/upload-artifact@v7, and actions/download-artifact@v8) to remove impending Node.js runner deprecation blocks. FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true has been added to force runners using Node24 ahead of time (deprecation date scheduled for June 2nd, 2026).
Matrix Artifact Flattening: Integrated merge-multiple: true on the final artifact download stage. This eliminates pathing errors (dist/*/ vs dist/) caused by divergent directory generation across the platform runners (manylinux, macos, windows).
Cache Corruption Fix: Bound enable-cache: false onto astral-sh/setup-uv@v7 steps to proactively bypass systemic Cache entry deserialization failed warning loops during high-concurrency jobs.
TODO (for repo owner)
Add a Trusted Publisher to PyPI project. (here the support docs link: https://docs.pypi.org/trusted-publishers/adding-a-publisher/).
Set the following values:
Project Name (required): bdkpython
Owner (required): bitcoindevkit
Repository name (required): bdk-python
Workflow name (required): publish-python.yaml
Environment name (optional): pypi (value included in the workflow)
Checklists
All Submissions:
cargo fmtandcargo clippybefore committingNew Features:
Bugfixes: