From 5bc286e6b85128231edc614cfaa6207e8afe120a Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 01:16:04 +0000 Subject: [PATCH 01/11] #123: Release to PyPI with digital attestations PEP 740 - Index support for digital attestations https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ --- .github/workflows/ci.yml | 80 ++++++++++++++++++++++++++++------------ 1 file changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90de12d..ca19b37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,7 +78,30 @@ jobs: name: distributions path: dist/ - pypi-publish: + publish-to-testpypi: + name: Upload release to TestPyPI + if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' # only publish to TestPyPI on push to master + needs: + - build + runs-on: ubuntu-latest + environment: + name: testpypi + url: https://test.pypi.org/p/sphinx-intl + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: distributions + path: dist/ + - name: Publish package distributions to TestPyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true + repository-url: https://test.pypi.org/legacy/ + + publish-to-pypi: name: Upload release to PyPI if: github.repository_owner == 'sphinx-doc' && startsWith(github.ref, 'refs/tags/') needs: @@ -102,36 +125,45 @@ jobs: with: verbose: true - # for test - password: ${{ secrets.TESTPYPI_TOKEN }} - repository_url: https://test.pypi.org/legacy/ - - # for production - # password: ${{ secrets.PYPI_TOKEN }} - github-release: - name: GitHub release + name: Sign the Python 🐍 distribution 📦 with Sigstore and upload them to GitHub Release if: github.repository_owner == 'sphinx-doc' + needs: + - publish-to-pypi runs-on: ubuntu-latest needs: - pypi-publish environment: release permissions: - contents: write # for softprops/action-gh-release to create GitHub release - + contents: write # IMPORTANT: mandatory for making GitHub Releases + id-token: write # IMPORTANT: mandatory for sigstore steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: Get release version - id: get_version - uses: actions/github-script@v7 + - name: Download all the dists + uses: actions/download-artifact@v4 with: - script: core.setOutput('version', context.ref.replace("refs/tags/", "")) - - - name: Create GitHub release - uses: softprops/action-gh-release@v2 - if: startsWith(github.ref, 'refs/tags/') + name: distributions + path: dist/ + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v3.0.0 with: - name: "sphinx-intl ${{ steps.get_version.outputs.version }}" - body: "Changelog: https://sphinx-intl.readthedocs.io/en/master/changes.html" + inputs: >- + ./dist/*.tar.gz + ./dist/*.whl + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + run: >- + gh release create + "$GITHUB_REF_NAME" + --repo "$GITHUB_REPOSITORY" + --notes "" + - name: Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. + # `dist/` contains the built packages, and the + # sigstore-produced signatures and certificates. + run: >- + gh release upload + "$GITHUB_REF_NAME" dist/** + --repo "$GITHUB_REPOSITORY" From 7d45792e8f829cbc34db73b5d0f795e9c571d648 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 01:43:14 +0000 Subject: [PATCH 02/11] testing publish to testpypi --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca19b37..1edb193 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,7 +80,7 @@ jobs: publish-to-testpypi: name: Upload release to TestPyPI - if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' # only publish to TestPyPI on push to master + if: github.repository_owner == 'sphinx-doc' needs: - build runs-on: ubuntu-latest From 63b5d1db177ce68b100c1dc4bfcdae34f3d29b21 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 01:45:50 +0000 Subject: [PATCH 03/11] testing publish to testpypi --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1edb193..b9a5ad1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: build: name: build distribution - if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' + if: github.repository_owner == 'sphinx-doc' needs: - tests runs-on: ubuntu-latest From 0b885293a21f046e1d6835869c361da3e1898563 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 01:47:23 +0000 Subject: [PATCH 04/11] fix syntax error --- .github/workflows/ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9a5ad1..78f3603 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -129,10 +129,8 @@ jobs: name: Sign the Python 🐍 distribution 📦 with Sigstore and upload them to GitHub Release if: github.repository_owner == 'sphinx-doc' needs: - - publish-to-pypi + - publish-to-pypi runs-on: ubuntu-latest - needs: - - pypi-publish environment: release permissions: contents: write # IMPORTANT: mandatory for making GitHub Releases From 6aad80745f60e21da4f089d97308694bf47e3ee1 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 03:40:26 +0000 Subject: [PATCH 05/11] fetch all commits and tags for setuptools_scm versioning. --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 78f3603..ec4c7ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - fetch-depth: 1 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: astral-sh/setup-uv@v6 @@ -64,7 +64,8 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - fetch-depth: 1 + persist-credentials: false + fetch-depth: 0 - name: Set up Python uses: astral-sh/setup-uv@v6 From 3a576ffbc775d3af6ff7b67acec9159779c840f4 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 03:47:47 +0000 Subject: [PATCH 06/11] setuptools_scm should omit local version that doesn't support PyPI --- pyproject.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 584b98d..e86e3da 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -62,7 +62,9 @@ build-backend = "setuptools.build_meta" include-package-data = true [tool.setuptools_scm] -# this empty section means: use_scm_version=True +# https://setuptools-scm.readthedocs.io/en/latest/extending/#available-implementations_1 +# because pypi does not support local version like .devN+ +local_scheme = "no-local-version" [tool.mypy] ignore_missing_imports = true From 0aca4ab0a7235a1ea13a363bd607338b709eede6 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 03:53:22 +0000 Subject: [PATCH 07/11] revert 7d45792e8f829cbc34db73b5d0f795e9c571d648, 63b5d1db177ce68b100c1dc4bfcdae34f3d29b21 --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec4c7ae..9b8d867 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: Test +name: Test, Build, Publish, Release on: push: paths-ignore: @@ -55,7 +55,7 @@ jobs: build: name: build distribution - if: github.repository_owner == 'sphinx-doc' + if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' needs: - tests runs-on: ubuntu-latest @@ -81,7 +81,7 @@ jobs: publish-to-testpypi: name: Upload release to TestPyPI - if: github.repository_owner == 'sphinx-doc' + if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' # only publish to TestPyPI on push to master needs: - build runs-on: ubuntu-latest From f5a201a59ef70c53193eb22a7bc963d55f280954 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 04:04:53 +0000 Subject: [PATCH 08/11] "github release" job uploads for existing tag. --- .github/workflows/ci.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b8d867..7080b87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: build: name: build distribution - if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' + if: ${{ github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' }} needs: - tests runs-on: ubuntu-latest @@ -81,7 +81,7 @@ jobs: publish-to-testpypi: name: Upload release to TestPyPI - if: github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' # only publish to TestPyPI on push to master + if: ${{ github.repository_owner == 'sphinx-doc' && github.ref == 'refs/heads/master' }} # only publish to TestPyPI on push to master needs: - build runs-on: ubuntu-latest @@ -104,7 +104,7 @@ jobs: publish-to-pypi: name: Upload release to PyPI - if: github.repository_owner == 'sphinx-doc' && startsWith(github.ref, 'refs/tags/') + if: ${{ github.repository_owner == 'sphinx-doc' && startsWith(github.ref, 'refs/tags/') }} needs: - build runs-on: ubuntu-latest @@ -128,10 +128,10 @@ jobs: github-release: name: Sign the Python 🐍 distribution 📦 with Sigstore and upload them to GitHub Release - if: github.repository_owner == 'sphinx-doc' + if: ${{ github.repository_owner == 'sphinx-doc' && startsWith(github.ref, 'refs/tags/') }} + runs-on: ubuntu-latest needs: - publish-to-pypi - runs-on: ubuntu-latest environment: release permissions: contents: write # IMPORTANT: mandatory for making GitHub Releases @@ -148,14 +148,6 @@ jobs: inputs: >- ./dist/*.tar.gz ./dist/*.whl - - name: Create GitHub Release - env: - GITHUB_TOKEN: ${{ github.token }} - run: >- - gh release create - "$GITHUB_REF_NAME" - --repo "$GITHUB_REPOSITORY" - --notes "" - name: Upload artifact signatures to GitHub Release env: GITHUB_TOKEN: ${{ github.token }} From 116ef37291f11e6c03f2ed185df6682905935906 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 04:09:26 +0000 Subject: [PATCH 09/11] update CHANGES --- CHANGES.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES.rst b/CHANGES.rst index 9e87ded..b7eeef9 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,6 +9,7 @@ Environments ------------ * add python-3.14 support by @rffontenelle in https://github.com/sphinx-doc/sphinx-intl/pull/115 +* Release to PyPI with digital attestations (PEP-740) by @shimizukawa in https://github.com/sphinx-doc/sphinx-intl/pull/125 Incompatibility --------------- From bc61620015856efd61ab03bd3a835eeb05502061 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 04:14:21 +0000 Subject: [PATCH 10/11] CI runs on master only --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7080b87..07e987c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,8 @@ name: Test, Build, Publish, Release on: push: + branches: + - master paths-ignore: - 'doc/**' pull_request: From ccc505c3ddb12ea94a74c1b85d7192c70bceda85 Mon Sep 17 00:00:00 2001 From: Takayuki SHIMIZUKAWA Date: Sat, 2 Aug 2025 04:19:01 +0000 Subject: [PATCH 11/11] revert name to "Test". this name is used for badge on PyPI. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07e987c..a74582f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: Test, Build, Publish, Release +name: Test on: push: branches: