The release.sh script is the only supported way to cut a release of
tc-admin. It bumps the version, builds Python distributions, publishes
to PyPI and Docker Hub, and pushes a signed tag to GitHub.
You need the following tools available on PATH:
| Tool | Purpose |
|---|---|
git |
committing, tagging, pushing |
python3 |
building the sdist / wheel |
docker (with buildx) |
building the multi-arch image |
pass |
retrieving PyPI / Docker Hub credentials |
gpg |
signing the git tag (git tag -s) |
You must also have:
- A GPG secret key — required to sign the git tag.
- An SSH key with push access to
git@github.com:taskcluster/tc-admin. - An entry
community-tc/secret-values.ymlin yourpassstore containing atc-admin-release-pypi-password:line. - An entry
hub.docker.com/taskclusterbotin yourpassstore containing the Docker Hub password for thetaskclusterbotaccount. - Maintainer rights on:
The script's pre-flight phase verifies most of the above before doing any destructive work, and reports all problems together so you can fix them in a single pass.
You must run the script with no Python virtualenv active — it builds
its own venv under .release/py3/.
./release.sh --version 1.2.3The version must match <a>.<b>.<c> where a >= 1, b >= 0, c >= 0,
all integers, no leading zeros. An optional alpha<n> suffix is allowed
on the patch component.
- Pre-flight checks — verifies tools (
git,python3,docker,pass,gpg), Docker daemon andbuildx, GPG secret key,passentries, version-string format (old and new), branch ismain, working tree is clean, local HEAD matches remotemain, and that the tag does not already exist locally or remotely. All problems are reported together. - Version bump — updates
setup.pyand thetc-admin~=…line inDockerfileviasedand stages the changes. - Local commit + signed tag — creates a
Version bump from X to Ycommit and a signedvX.Y.Ztag locally. Nothing is pushed yet. - Build — creates a fresh virtualenv under
.release/py3/, installsbuildandtwine, then runspython -m buildto produce the sdist and wheel indist/. - Validate package —
twine check dist/*checks that the package metadata is valid (long_description renders cleanly on PyPI, classifiers are recognised, etc.) before contacting the index. - Publish to PyPI —
twine uploadto https://upload.pypi.org/legacy/. The PyPI password is retrieved frompassand printed for manual paste at the prompt. - Publish to Docker Hub —
docker login, thendocker buildx build --platform linux/amd64,linux/arm64 --pushtotaskcluster/tc-admin:<version>. The Docker Hub password is retrieved frompassand printed for manual paste. - Push to GitHub — pushes the version-bump commit to
mainand the signed tag. This is intentionally the last step so that a publish failure leaves the remote untouched. - Open release page — opens
https://github.com/taskcluster/tc-admin/releases/new?tag=v<version>in your browser so you can write the release notes.
twine check (run automatically by the script) catches the most common
metadata problems — bad README rendering, unrecognised classifiers,
missing required fields — without contacting PyPI.
For the rare case where you want to see how the package will render
live on PyPI before committing to a real release (typically when
materially changing long_description, long_description_content_type,
or other metadata), you can do an end-to-end test against
test.pypi.org outside the release script:
rm -rf dist/*
python -m build
twine check dist/*
twine upload --repository testpypi dist/*…then look at the result on https://test.pypi.org/project/tc-admin/.
Note that test PyPI does not allow re-uploading the same version, so
use a throwaway version (e.g. an alpha<n> suffix) when testing.
Because the GitHub push happens at the end, a failure during build, PyPI upload, or Docker Hub publish leaves the remote untouched. To recover:
git reset --hard HEAD~1 # undo the version-bump commit
git tag -d "v<version>" # remove the local signed tag…then fix the underlying cause and re-run ./release.sh.
If the failure happens after a successful PyPI or Docker Hub upload, you cannot reuse the same version number — PyPI does not allow re-uploading a version, and the Docker tag has already been published. In that case, cut the next patch release instead.