Skip to content

ci: add release workflow for PyPI publish via Trusted Publishers#9

Merged
tsdata merged 1 commit intomainfrom
chore/add-release-workflow
Apr 9, 2026
Merged

ci: add release workflow for PyPI publish via Trusted Publishers#9
tsdata merged 1 commit intomainfrom
chore/add-release-workflow

Conversation

@tsdata
Copy link
Copy Markdown
Collaborator

@tsdata tsdata commented Apr 9, 2026

Summary

Adds `.github/workflows/release.yml` that builds memtomem and publishes it to PyPI (or TestPyPI for dry-runs) via PyPI Trusted Publishers (OIDC). No API tokens are stored in the repo.

Tag conventions

Tag Target
`v0.1.0`, `v0.2.0`, ... PyPI (production)
`test-v0.1.0a1`, `test-v0.1.0rc1`, ... TestPyPI (dry run)

Both run inside the `pypi` GitHub environment, gated to `v*` tags only with required reviewer approval.

Workflow

  1. build — `uv build` from `packages/memtomem` → uploads sdist+wheel as job artifact
  2. publish — downloads the artifact, dispatches to PyPI or TestPyPI based on tag prefix via `pypa/gh-action-pypi-publish@release/v1`

Verification (after merge)

  1. Tag a TestPyPI dry run: `git tag test-v0.1.0a1 && git push origin test-v0.1.0a1`
  2. Approve the deployment in GitHub (Actions → workflow run → Review deployments)
  3. Confirm the package appears at https://test.pypi.org/p/memtomem
  4. Tag production: `git tag v0.1.0 && git push origin v0.1.0`

Companion PR

Pairs with memtomem/memtomem-stm release.yml PR. Core publishes first (it's a runtime dependency of memtomem-stm).

🤖 Generated with Claude Code

@tsdata @claude
ci: add release workflow for PyPI publish via Trusted Publishers
933e70d 
Adds .github/workflows/release.yml that builds the memtomem distribution
and publishes it to PyPI (or TestPyPI for dry-runs) via OIDC. No API
tokens are stored in the repo — pypa/gh-action-pypi-publish picks up the
short-lived OIDC token from GitHub at run time and PyPI verifies it
against the pre-registered Trusted Publisher entry.

Tag conventions:
  v0.1.0          → PyPI                (production)
  test-v0.1.0a1   → TestPyPI            (dry run)

Both code paths run inside the `pypi` GitHub environment, which is
gated to tag pushes matching `v*` only. Required reviewers on that
environment provide the manual approval gate before each publish.

The build job runs `uv build` from packages/memtomem and uploads the
sdist+wheel as a job artifact; the publish job downloads the artifact
and dispatches it to the chosen index based on the tag prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@tsdata tsdata merged commit cec0865 into main Apr 9, 2026
@tsdata tsdata deleted the chore/add-release-workflow branch April 9, 2026 23:38
@tsdata tsdata mentioned this pull request Apr 10, 2026
Merged
1 task
This was referenced Apr 28, 2026
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tsdata