@@ -98,20 +98,34 @@ jobs:
9898 run : |
9999 pytest tests/functional/binary_package/
100100
101- # Publish pypi package when a new CodeChecker version is released.
102- publish :
103- name : Publish pypi package
104- if : github.event_name == 'release'
105- runs-on : ubuntu-20.04
106- needs : test
107- steps :
108- - uses : actions/download-artifact@master
109- with :
110- name : pypi-package
111- path : ./
101+ # FIXME: This was disabled because it was not working. We have to make sure
102+ # that the token is appropriate. This automatic publishing is also dangerous,
103+ # because there is no way to recover a broken release if PyPI is tainted
104+ # (the filename will be forever locked and reserved even if we nuke a release)
105+ #
106+ # To test PyPI functionality, test.pypi.org should be used instead. That
107+ # could be done with **every** commit (or at least every PR pulled to master).
108+ # With a random enough release name (e.g., "git describe" with the commit
109+ # hash suffix) we could deploy to test.pypi.org every time.
110+ #
111+ # Real finalised releases should undergo manual testing first, and if
112+ # everything is in order, the deployment job to live PyPI should be manually
113+ # triggered.
112114
113- - name : Publish to PyPI
114- uses : pypa/gh-action-pypi-publish@release/v1
115- with :
116- user : __token__
117- password : ${{ secrets.PYPI_TOKEN }}
115+ # Publish pypi package when a new CodeChecker version is released.
116+ # publish:
117+ # name: Publish pypi package
118+ # if: github.event_name == 'release'
119+ # runs-on: ubuntu-20.04
120+ # needs: test
121+ # steps:
122+ # - uses: actions/download-artifact@master
123+ # with:
124+ # name: pypi-package
125+ # path: ./
126+ #
127+ # - name: Publish to PyPI
128+ # uses: pypa/gh-action-pypi-publish@release/v1
129+ # with:
130+ # user: __token__
131+ # password: ${{ secrets.PYPI_TOKEN }}
0 commit comments