mirror of
https://github.com/kennethreitz/langchain.git
synced 2026-06-05 23:00:18 +00:00
Predrag Gruevski
9f08d29bc8
Trusted Publishing is the current best practice for publishing Python packages. Rather than long-lived secret keys, it uses OpenID Connect (OIDC) to allow our GitHub runner to directly authenticate itself to PyPI and get a short-lived publishing token. This locks down publishing quite a bit: - There's no long-lived publish key to steal anymore. - Publishing is *only* allowed via the *specifically designated* GitHub workflow in the designated repo. It also is operationally easier: no keys means there's nothing that needs to be periodically rotated, nothing to worry about leaking, and nobody can accidentally publish a release from their laptop because they happened to have PyPI keys set up. After this gets merged, we'll need to configure PyPI to start expecting trusted publishing. It's only a few clicks and should only take a minute; instructions are here: https://docs.pypi.org/trusted-publishers/adding-a-publisher/ More info: - https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ - https://github.com/pypa/gh-action-pypi-publish
60 lines
1.8 KiB
YAML
60 lines
1.8 KiB
YAML
name: release
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
working-directory:
|
|
required: true
|
|
type: string
|
|
description: "From which folder this pipeline executes"
|
|
|
|
env:
|
|
POETRY_VERSION: "1.5.1"
|
|
|
|
jobs:
|
|
if_release:
|
|
# Disallow publishing from branches that aren't `master`.
|
|
if: github.ref == 'refs/heads/master'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# This permission is used for trusted publishing:
|
|
# https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
|
|
#
|
|
# Trusted publishing has to also be configured on PyPI for each package:
|
|
# https://docs.pypi.org/trusted-publishers/adding-a-publisher/
|
|
id-token: write
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ inputs.working-directory }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- name: Install poetry
|
|
run: pipx install "poetry==$POETRY_VERSION"
|
|
- name: Set up Python 3.10
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "poetry"
|
|
- name: Build project for distribution
|
|
run: poetry build
|
|
- name: Check Version
|
|
id: check-version
|
|
run: |
|
|
echo version=$(poetry version --short) >> $GITHUB_OUTPUT
|
|
- name: Create Release
|
|
uses: ncipollo/release-action@v1
|
|
if: ${{ inputs.working-directory == 'libs/langchain' }}
|
|
with:
|
|
artifacts: "dist/*"
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
draft: false
|
|
generateReleaseNotes: true
|
|
tag: v${{ steps.check-version.outputs.version }}
|
|
commit: master
|
|
- name: Publish package distributions to PyPI
|
|
uses: pypa/gh-action-pypi-publish@release/v1
|
|
with:
|
|
packages-dir: ${{ inputs.working-directory }}/dist/
|
|
verbose: true
|
|
print-hash: true
|