Skip to content

Establish trusted PyPI release pipeline, align release jobs with uv, and patch vulnerable artifact download action#28

Merged
rilma merged 5 commits into
mainfrom
copilot/create-implementation-plan-pypi-package
May 13, 2026
Merged

Establish trusted PyPI release pipeline, align release jobs with uv, and patch vulnerable artifact download action#28
rilma merged 5 commits into
mainfrom
copilot/create-implementation-plan-pypi-package

Conversation

Copilot AI commented May 13, 2026

Copy link
Copy Markdown
Contributor

Description

This PR closes the gap between documented and actual release behavior by implementing a dedicated, tag-driven PyPI publishing workflow. It also patches the vulnerable actions/download-artifact range by pinning to v4.1.3 and aligns release automation with the project's uv tooling.

  • Release workflow (new)

    • Added .github/workflows/release-pypi.yaml with:
      • tag trigger (v*) for PyPI publish
      • workflow_dispatch path for TestPyPI/PyPI target selection
      • tag validation + main-reachability gate
      • OIDC trusted publishing (pypa/gh-action-pypi-publish)
      • per-release concurrency guard
  • Artifact integrity + release hardening

    • Builds sdist and wheel in separate steps.
    • Adds twine check, wheel install/import/version smoke validation, and post-publish install verification with retry.
  • Security fix

    • Updated vulnerable action usage:
      - uses: actions/download-artifact@v4.1.3
    • Added explicit default workflow token permissions (contents: read), with publish job scoped to id-token: write + contents: read.
  • uv alignment (feedback follow-up)

    • Added astral-sh/setup-uv@v4 to release build and verify jobs.
    • Switched install-oriented steps in release workflow from pip invocations to uv pip (build tooling install, wheel smoke-test install, and post-publish install verification).
  • Documentation alignment

    • Updated docs/MAINTENANCE.md, docs/DEVELOPER_GUIDE.md, and docs/ECOSYSTEM.md to reflect dynamic setuptools_scm tag-based versioning and the new release path.
    • Added release authority/permissions guidance and TestPyPI dry-run guidance.
    • Updated CHANGELOG.md with release automation + docs alignment entries.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • My code follows the project style guidelines (black, ruff, mypy)
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix/feature works
  • New and existing tests pass with my changes
  • Test coverage remains > 80%
  • I have updated the documentation (docstrings, README, guides)
  • I have added an entry to CHANGELOG.md
  • I have updated type hints for modified functions

Testing

# Workflow/config validation
parallel_validation  # Code Review + CodeQL (actions) -> no remaining alerts

Additional Context

PyPI/TestPyPI publication now depends on configuring Trusted Publishers for this repository/workflow on the package index side (pyhwm2014).

@rilma

rilma commented May 13, 2026

Copy link
Copy Markdown
Owner

@copilot This project uses uv, but the new release-pypi.yaml doesn't, why?

Copilot AI commented May 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot This project uses uv, but the new release-pypi.yaml doesn't, why?

Good catch. I aligned the release workflow to the project’s uv tooling in commit 12ce853: added astral-sh/setup-uv@v4 and switched install steps in build/verify jobs from pip invocations to uv pip.

Copilot AI changed the title Establish trusted PyPI release pipeline and patch vulnerable artifact download action Establish trusted PyPI release pipeline, align release jobs with uv, and patch vulnerable artifact download action May 13, 2026
Copilot finished work on behalf of rilma May 13, 2026 22:30
@rilma
rilma marked this pull request as ready for review May 13, 2026 22:53
@rilma
rilma merged commit be82484 into main May 13, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants