From da58ed84f21906488a344091b6360cc098046434 Mon Sep 17 00:00:00 2001 From: Calin Teodor Date: Sun, 7 Jun 2026 03:14:03 +0300 Subject: [PATCH] ci: add PyPI publish workflow (PILOT-203) Auto-publish on release-published, with workflow_dispatch fallback. Build wheel+sdist, twine-check, then pypa/gh-action-pypi-publish. Required secret: PYPI_API_TOKEN. --- .github/workflows/publish.yml | 56 +++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..2cc81ff --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,56 @@ +name: publish + +# PILOT-203: PyPI publish workflow. +# +# Triggers on: +# - Release published (the normal path: tag a release on GitHub → publish) +# - workflow_dispatch (manual fallback when a release was created but +# publish missed it, or when republishing on a fresh PYPI_API_TOKEN) +# +# Required secret: +# PYPI_API_TOKEN — pypi.org token scoped to the pilotprotocol project. + +on: + release: + types: [published] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + name: Build wheel + sdist + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.12' + - run: python -m pip install --upgrade build twine + - run: python -m build + - run: python -m twine check dist/* + - uses: actions/upload-artifact@v4 + with: + name: dist + path: dist/ + retention-days: 7 + + publish: + name: Publish to PyPI + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + # OIDC for trusted publisher (preferred). Falls back to API token + # when configured below. + id-token: write + steps: + - uses: actions/download-artifact@v4 + with: + name: dist + path: dist/ + - uses: pypa/gh-action-pypi-publish@release/v1 + with: + password: ${{ secrets.PYPI_API_TOKEN }} + verbose: true