From 1d56456f3c52dcbbaee1518f8f236173efffd62c Mon Sep 17 00:00:00 2001 From: Ben Date: Wed, 1 Oct 2025 20:25:47 +0000 Subject: [PATCH 01/12] Test publish --- .github/workflows/python-publish.yml | 72 ++++++++++++++++++++++++---- 1 file changed, 62 insertions(+), 10 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 166c3467a..9adc24951 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -6,6 +6,8 @@ name: Upload Python Package on: release: types: [created] + pull_request: + types: [opened, synchronize, reopened] # Allows to run this workflow manually workflow_dispatch: @@ -14,12 +16,9 @@ permissions: contents: read jobs: - deploy: - + build: + name: Build distribution 📦 runs-on: ubuntu-latest - environment: PyPi - permissions: - id-token: write steps: - name: Harden the runner (Audit all outbound calls) @@ -28,6 +27,8 @@ jobs: egress-policy: audit - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: @@ -35,9 +36,60 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install setuptools build - python -m pip install git+https://github.com/takluyver/twine@ec859fbfd285284e800461c45d22187f7948a275#egg=twine - - name: Build and publish + pip install setuptools build --user + - name: Build a binary wheel and a source tarball + run: python3 -m build + - name: Store the distribution packages + uses: actions/upload-artifact@v4 + with: + name: python-package-distributions + path: dist/ + + publish-to-testpypi: + name: Publish Python distribution 📦 to TestPyPI + needs: + - build + runs-on: ubuntu-latest + + environment: + name: testpypi + url: https://test.pypi.org/p/dfetch + + permissions: + id-token: write + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Publish distribution 📦 to TestPyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + - name: Test install from TestPyPI run: | - python -m build - twine upload dist/* + pip install --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple + python -c "import dfetch; print(dfetch.__version__)" + + deploy: + if: github.event_name == 'release' + runs-on: ubuntu-latest + needs: + - build + environment: + name: pypi + url: https://pypi.org/p/dfetch + permissions: + id-token: write + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Publish distribution 📦 to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 From 4c297fa5b37832c24e51636358f4e262da26a49a Mon Sep 17 00:00:00 2001 From: Ben Date: Wed, 1 Oct 2025 21:04:04 +0000 Subject: [PATCH 02/12] Update changelog --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ba87489d7..90772eb5e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,8 @@ Release 0.11.0 (unreleased) * Don't show animation when running in CI (#702) * Improve logic for creating Purls in SBoM (#780) * Add External VCS reference to SBoM if possible (#780) +* Add security policy (#784) +* Add provenance / release attestation to pypi package (#784) Release 0.10.0 (released 2025-03-12) ==================================== From 68ef8ec49d16717366576dc872023463d255e496 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:23:14 +0000 Subject: [PATCH 03/12] Use unique versions for testpypi --- .github/workflows/python-publish.yml | 7 ++++++- pyproject.toml | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 9adc24951..211e81cc4 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -36,7 +36,12 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install setuptools build --user + pip install setuptools setuptools_scm build --user + - name: Set unique version for TestPyPI + if: github.event_name != 'release' + run: | + ACTUAL_VERSION=$(python3 -m setuptools_scm) + echo "SETUPTOOLS_SCM_PRETEND_VERSION=${ACTUAL_VERSION}" >> $GITHUB_ENV - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages diff --git a/pyproject.toml b/pyproject.toml index 87b50d389..1d4b817f1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -111,6 +111,10 @@ include = ["dfetch", "dfetch.*"] [tool.setuptools.package-data] dfetch = ["resources/*.yaml"] +[tool.setuptools_scm] +version_scheme = "guess-next-dev" +local_scheme = "node-and-timestamp" + [tool.isort] profile = "black" From 8713f504bb15310b2937416147de1a5fcafe0856 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:32:40 +0000 Subject: [PATCH 04/12] Use new license format --- pyproject.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 1d4b817f1..3ac4a7e2d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,13 +22,12 @@ keywords = [ "multi-project", "monorepo", ] -license = { text = "MIT" } +license = "MIT" classifiers = [ # Full list: https://pypi.python.org/pypi?%3Aaction=list_classifiers "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: Developers", - "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", From 85e3fd3f6dd53e7e5b7f96e505531c1ad1be449f Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:37:56 +0000 Subject: [PATCH 05/12] Remove unused items --- .github/workflows/python-publish.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 211e81cc4..48a8f816f 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -33,15 +33,6 @@ jobs: uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install setuptools setuptools_scm build --user - - name: Set unique version for TestPyPI - if: github.event_name != 'release' - run: | - ACTUAL_VERSION=$(python3 -m setuptools_scm) - echo "SETUPTOOLS_SCM_PRETEND_VERSION=${ACTUAL_VERSION}" >> $GITHUB_ENV - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages From d0521b6476f4b17fa251e989e59454727207bc69 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:39:23 +0000 Subject: [PATCH 06/12] Use setuptools-scm for package version --- pyproject.toml | 3 --- 1 file changed, 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 3ac4a7e2d..e44159486 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -101,9 +101,6 @@ casts = ['asciinema==2.4.0'] [project.scripts] dfetch = "dfetch.__main__:main" -[tool.setuptools.dynamic] -version = { attr = "dfetch.__version__" } - [tool.setuptools.packages.find] include = ["dfetch", "dfetch.*"] From 41cc9afa67dc31a9a78bda7be4d0dce66c31eee5 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:41:37 +0000 Subject: [PATCH 07/12] Only install build --- .github/workflows/python-publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 48a8f816f..f6daa9c3e 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -33,6 +33,8 @@ jobs: uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.x' + - name: Install dependencies + run: python -m pip install --upgrade pip build --user - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages From 9f0b9ed57fe3442b17ec20fd27c64c600aae6f4b Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:45:14 +0000 Subject: [PATCH 08/12] Use no local version, pypi does not allow --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index e44159486..0680474b1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -108,8 +108,8 @@ include = ["dfetch", "dfetch.*"] dfetch = ["resources/*.yaml"] [tool.setuptools_scm] +local_scheme = "no-local-version" version_scheme = "guess-next-dev" -local_scheme = "node-and-timestamp" [tool.isort] profile = "black" From 4a00acff8934b9e71bb69706efbbdeba712fb3b3 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:54:17 +0000 Subject: [PATCH 09/12] Give all history to use setuptools scm properly --- .github/workflows/python-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index f6daa9c3e..5264f5076 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -29,6 +29,7 @@ jobs: - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 with: persist-credentials: false + fetch-depth: 0 # Fetches all history and tags - name: Set up Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: From 2e792da25954344824ed9e7b4d6d8079285248b4 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:54:40 +0000 Subject: [PATCH 10/12] Make test install more clear --- .github/workflows/python-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 5264f5076..95fa35c64 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -70,8 +70,8 @@ jobs: - name: Test install from TestPyPI run: | - pip install --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple - python -c "import dfetch; print(dfetch.__version__)" + pip install --index-url https://test.pypi.org/simple/ dfetch --user + dfetch --help deploy: if: github.event_name == 'release' From 7bc60fe2f1e1fdc85eaaffbee979afca4aa4c366 Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 19:58:55 +0000 Subject: [PATCH 11/12] Make pypi available for the deps --- .github/workflows/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 95fa35c64..66b461ff3 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -70,7 +70,7 @@ jobs: - name: Test install from TestPyPI run: | - pip install --index-url https://test.pypi.org/simple/ dfetch --user + pip install --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user dfetch --help deploy: From 8bf8affac361961f7bfa592bf8cf0f22fc71a92e Mon Sep 17 00:00:00 2001 From: Ben Date: Fri, 3 Oct 2025 20:07:19 +0000 Subject: [PATCH 12/12] Install the dev version --- .github/workflows/python-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 66b461ff3..f6db5f65b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -70,7 +70,7 @@ jobs: - name: Test install from TestPyPI run: | - pip install --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user + pip install --pre --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user dfetch --help deploy: