Skip to content

feat(ci): switch to uv publish for PyPI uploads #13991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
woodruffw wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(ci): switch to uv publish for PyPI uploads #13991

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dd8268e
feat(ci): switch to uv publish for PyPI uploads
woodruffw Dec 10, 2025
84bad0b
Bump attest-action
woodruffw Feb 10, 2026
9941119
Ensure uv is installed
woodruffw Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions .github/workflows/pypi-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ jobs:
echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'

- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
with:
save-cache: false
Comment on lines +46 to +48
Copy link
Member

@alex alex Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this also hash pin the version of uv that's installed?

Copy link
Contributor Author

@woodruffw woodruffw Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, although it's a floating resolution (the action knows all of the hashes, and selects the latest version). That doesn't seem ideal though, and it's an additional failure point with GitHub's unreliability. I'm going to switch it to the same constraint approach you use elsewhere 🙂

Copy link
Member

@alex alex Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we want everything pinned to a particular version. Only way to avoid shit breaking when we need it to work.


- uses: dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
with:
path: tmpdist/
Expand All @@ -51,13 +55,16 @@ jobs:
- run: |
find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \;

- uses: astral-sh/attest-action@f35111fb79f1e4f0150a1ee16cfd4399e3151bdb # v0.0.5
# Do not perform attestation for things for TestPyPI. This is
# because there's nothing that would prevent a malicious PyPI from
# serving a signed TestPyPI asset in place of a release intended for
# PyPI.
if: env.PYPI_URL == 'https://upload.pypi.org/legacy/'

- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
repository-url: ${{ env.PYPI_URL }}
skip-existing: true
# Do not perform attestation for things for TestPyPI. This is
# because there's nothing that would prevent a malicious PyPI from
# serving a signed TestPyPI asset in place of a release intended for
# PyPI.
attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }}
# uv is present because attest-action installs it.
run: |
uv publish --trusted-publishing=always dist/*
Copy link
Member

@alex alex Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is uv in the base image? If not, it's not installed here.

Copy link
Contributor Author

@woodruffw woodruffw Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's installed implicitly via attest-action, since workspace tools are global state. I find this kind of spooky/scary though.

Copy link
Member

@alex alex Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a comment at least

Copy link
Member

@alex alex Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I just realized this won't work, since attest-action only runs conditionally on it being a push to prod pypi.

Copy link
Member

@alex alex Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is still an issue.

Copy link
Contributor Author

@woodruffw woodruffw Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, was going to fix it today. Sorry for the re-ping from the new activity.

Copy link
Contributor Author

@woodruffw woodruffw Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I've added a setup-uv to ensure uv is always present. This feels kind of wrong given that you use python -m pip install -c ci-constraints-requirements.txt 'uv' elsewhere, but the alternative would be to increase the size of the publish job here significantly (with a checkout + setup-python).

env:
UV_PUBLISH_URL: ${{ env.PYPI_URL }}
Loading