Revisit GitHub Actions

r-brown · r-brown · commit c5976cc82dcf · 2026-05-15T08:42:23.000+02:00
diff --git a/.github/workflows/netlicensing-publish-pypi.yml b/.github/workflows/netlicensing-publish-pypi.yml
@@ -1,31 +1,68 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# Publishes the package to PyPI when a GitHub Release is *published*
+# (not on draft creation — only when you click "Publish release").
+#
+# Authentication: uses PyPI Trusted Publisher (OIDC) — no long-lived secrets
+# needed.  Configure a Trusted Publisher for this repo on pypi.org first:
+#   https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+#
+# If you prefer an API token instead, remove the `environment` + `permissions`
+# blocks and uncomment:
+#   password: ${{ secrets.PYPI_API_TOKEN }}
+# in the "Publish" step below.
 
 name: Python Client - Publish to PyPI
 
 on:
   release:
-    types: [created]
+    types: [published]
 
 jobs:
-  deploy:
+  test:
+    name: "Test before publish"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Test with pytest
+        run: pytest
 
+  publish:
+    name: "Build and publish to PyPI"
     runs-on: ubuntu-latest
+    needs: test
+
+    environment: pypi
+    permissions:
+      id-token: write   # required for OIDC Trusted Publisher
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python setup.py sdist bdist_wheel
-        twine upload dist/*
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: Install build tools
+        run: pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Check distribution metadata
+        run: twine check dist/*
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # Uncomment the next line to use an API token instead of Trusted Publisher:
+        # with:
+        #   password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/netlicensing-publish-testpypi.yml b/.github/workflows/netlicensing-publish-testpypi.yml
@@ -1,31 +1,78 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# Publishes the package to TestPyPI to smoke-test the publish pipeline.
+#
+# Triggers:
+#   • Every push to master (validates the pipeline continuously; existing
+#     versions are skipped so repeated pushes with the same version are safe).
+#   • Manual dispatch from the Actions tab (workflow_dispatch).
+#
+# Authentication: uses TestPyPI Trusted Publisher (OIDC).  Configure a
+# Trusted Publisher for this repo on test.pypi.org first:
+#   https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+#
+# If you prefer an API token instead, remove the `environment` + `permissions`
+# blocks and uncomment:
+#   password: ${{ secrets.TESTPYPI_API_TOKEN }}
+# in the "Publish" step below.
 
 name: Python Client - Publish to TestPyPI
 
 on:
-  release:
-    types: [created]
+  push:
+    branches: [master]
+  workflow_dispatch:
 
 jobs:
-  deploy:
+  test:
+    name: "Test before publish"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Test with pytest
+        run: pytest
 
+  publish:
+    name: "Build and publish to TestPyPI"
     runs-on: ubuntu-latest
+    needs: test
+
+    environment: testpypi
+    permissions:
+      id-token: write   # required for OIDC Trusted Publisher
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.TESTPYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.TESTPYPI_PASSWORD }}
-      run: |
-        python setup.py sdist bdist_wheel
-        twine upload -r testpypi dist/*
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: Install build tools
+        run: pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Check distribution metadata
+        run: twine check dist/*
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true   # same version from repeated master pushes is harmless
+        # Uncomment the next line to use an API token instead of Trusted Publisher:
+        # with:
+        #   repository-url: https://test.pypi.org/legacy/
+        #   password: ${{ secrets.TESTPYPI_API_TOKEN }}
+        #   skip-existing: true
diff --git a/.github/workflows/netlicensing-python-ci.yml b/.github/workflows/netlicensing-python-ci.yml
@@ -1,42 +1,68 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+# Runs on every push / pull-request against master.
+# Matrix: Python 3.10 – 3.13  |  type-check (mypy) + tests (pytest) + coverage
 
 name: Python Client - CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
-  build:
-
+  test:
+    name: "Test · Python ${{ matrix.python-version }}"
     runs-on: ubuntu-latest
+
     strategy:
+      fail-fast: false
       matrix:
-        python-version: [3.6, 3.7, 3.8]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install flake8 pytest
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-    - name: Lint with flake8
-      run: |
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
-    - name: Test with pytest
-      run: |
-        pytest
-    - name: Upload Codecov
-      run: |
-        bash <(curl -s https://codecov.io/bash)
+      - uses: actions/checkout@v4
+
+      - name: "Set up Python ${{ matrix.python-version }}"
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Type-check (mypy)
+        run: mypy
+
+      - name: Test with pytest
+        run: pytest --cov-report=xml
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.13'
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: coverage.xml
+          fail_ci_if_error: false
+
+  build:
+    name: "Verify build"
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: Install build tools
+        run: pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Check distribution metadata
+        run: twine check dist/*
diff --git a/.github/workflows/netlicensing-python-dependency.yml b/.github/workflows/netlicensing-python-dependency.yml
@@ -1,23 +1,60 @@
+# Installs the published package from PyPI on a weekly schedule and runs a
+# quick smoke test to catch any packaging or import regressions.
+#
+# Matrix: tests the three latest supported Python versions.
+
 name: Python Client - Dependency Test
 
 on:
   schedule:
-    - cron: '*/59 * * * *'
+    - cron: "0 6 * * 1"   # every Monday at 06:00 UTC
+  workflow_dispatch:
 
 jobs:
-  build:
-
+  smoke-test:
+    name: "Smoke test · Python ${{ matrix.python-version }}"
     runs-on: ubuntu-latest
+
     strategy:
+      fail-fast: false
       matrix:
-        python-version: [3.6, 3.7, 3.8]
+        python-version: ["3.11", "3.12", "3.13"]
 
     steps:
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install netlicensing-client
+      - uses: actions/checkout@v4
+
+      - name: "Set up Python ${{ matrix.python-version }}"
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install published package from PyPI
+        run: pip install --upgrade netlicensing-client
+
+      - name: Verify package imports and version
+        run: |
+          python - <<'EOF'
+          import netlicensing
+          from netlicensing import (
+              NetLicensingClient,
+              NetLicensingConfig,
+              NetLicensingError,
+              NetLicensingHTTPError,
+              NetLicensingAuthError,
+              Product,
+              Licensee,
+              ValidationResult,
+              LicenseType,
+              LicensingModel,
+          )
+          print(f"netlicensing-client {netlicensing.__version__} imported successfully")
+          EOF
+
+      - name: Verify client instantiation (no network call)
+        run: |
+          python - <<'EOF'
+          from netlicensing import NetLicensingClient
+          client = NetLicensingClient(api_key="dummy-key")
+          assert client.config.api_key == "dummy-key"
+          print("NetLicensingClient instantiated OK")
+          EOF
