Merge pull request #1 from dedev-llc/release-tooling

Add bump.sh and switch PyPI publish to Trusted Publishing

Author: lionuncle

.github/workflows/release.yml

@@ -5,12 +5,20 @@ name: release
 # version hasn't changed (i.e. v<version> is already tagged).
 #
 # Required secrets (Settings → Secrets and variables → Actions):
-#   PYPI_API_TOKEN      — pypi.org token (scope: project rpr, or whole-account
-#                         until the project exists). __token__ user is implied.
 #   NPM_TOKEN           — npmjs.com automation token with publish rights.
 #   HOMEBREW_TAP_TOKEN  — fine-grained PAT with Contents: read/write on
 #                         dedev-llc/homebrew-rpr. Used to commit the bumped
 #                         formula to the tap repo.
+#
+# PyPI uses Trusted Publishing (OIDC) — no token required. One-time setup:
+#   1. https://pypi.org/manage/account/publishing/
+#   2. Add a "pending publisher" (or, after first publish, a real one):
+#        Project name:    rpr
+#        Owner:           dedev-llc
+#        Repository:      rpr
+#        Workflow name:   release.yml
+#        Environment:     release
+#   3. The pypi job below claims an OIDC token and PyPI verifies it matches.
 
 on:
   push:
@@ -62,6 +70,8 @@ jobs:
     if: needs.check-version.outputs.should_release == 'true'
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      id-token: write   # required for Trusted Publishing (OIDC)
     steps:
       - uses: actions/checkout@v4
 
@@ -70,19 +80,13 @@ jobs:
           python-version: "3.12"
 
       - name: Install build tooling
-        run: python -m pip install --upgrade build twine
+        run: python -m pip install --upgrade build
 
       - name: Build sdist + wheel
         run: python -m build
 
-      - name: Validate distributions
-        run: twine check dist/*
-
-      - name: Upload to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: twine upload dist/*
+      - name: Upload to PyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
 
   npm:
     needs: [check-version, pypi]

scripts/bump.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# bump.sh — bump rpr version in pyproject.toml and npm/package.json in lockstep.
+#
+# Usage:
+#   scripts/bump.sh 0.2.0
+#
+# Does NOT commit, tag, or push — just edits the two files so you can review
+# the diff and open a PR. The release workflow runs on merge to main and
+# detects the new version automatically.
+
+set -euo pipefail
+
+if [ "$#" -ne 1 ]; then
+  echo "usage: $0 <version>" >&2
+  exit 1
+fi
+
+new="$1"
+
+# PEP 440 / semver-ish: MAJOR.MINOR.PATCH with optional pre/post/dev suffix.
+if ! [[ "$new" =~ ^[0-9]+\.[0-9]+\.[0-9]+([a-zA-Z0-9.+-]*)?$ ]]; then
+  echo "error: '$new' is not a valid version (expected MAJOR.MINOR.PATCH[suffix])" >&2
+  exit 1
+fi
+
+repo_root=$(git rev-parse --show-toplevel)
+cd "$repo_root"
+
+current=$(python3 -c 'import tomllib; print(tomllib.load(open("pyproject.toml","rb"))["project"]["version"])')
+echo "Current version: $current"
+echo "New version:     $new"
+
+if [ "$current" = "$new" ]; then
+  echo "Already at $new — nothing to do."
+  exit 0
+fi
+
+# pyproject.toml — surgical replace of the project.version line.
+NEW="$new" python3 - <<'PY'
+import os, pathlib, re
+p = pathlib.Path("pyproject.toml")
+s = p.read_text()
+s, n = re.subn(r'^version\s*=\s*"[^"]+"',
+               f'version = "{os.environ["NEW"]}"',
+               s, count=1, flags=re.M)
+if n != 1:
+    raise SystemExit("error: could not find 'version = ...' line in pyproject.toml")
+p.write_text(s)
+PY
+
+# npm/package.json — preserve 2-space indent and trailing newline.
+NEW="$new" node -e '
+const fs = require("fs");
+const p  = "npm/package.json";
+const j  = JSON.parse(fs.readFileSync(p, "utf8"));
+j.version = process.env.NEW;
+fs.writeFileSync(p, JSON.stringify(j, null, 2) + "\n");
+'
+
+echo
+echo "Updated:"
+echo "  pyproject.toml"
+echo "  npm/package.json"
+echo
+echo "Next steps:"
+echo "  git checkout -b release/v$new"
+echo "  git commit -am \"Release v$new\""
+echo "  gh pr create --fill"