From 36fa9ecc07df7ba108e31bf97fe70c07898a9691 Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Sun, 13 Jul 2025 18:54:29 +0200 Subject: [PATCH 1/5] Add trusted publishing (while using uv) --- .github/workflows/merge.yml | 26 ++++++++++-------- .github/workflows/verify.yml | 53 +++++++++++++++++++++++------------- CHANGELOG.md | 4 +++ 3 files changed, 52 insertions(+), 31 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index e4142a204..b2b7ec25e 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -18,6 +18,9 @@ jobs: publishing: name: Build and publish Python 🐍 distributions 📦 to PyPI runs-on: ubuntu-latest + environment: pypi + permissions: + id-token: write # Only trigger on merges, not just closes if: github.event.pull_request.merged == true steps: @@ -28,16 +31,15 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ env.DEFAULT_PYTHON }} - - name: Install pypa/build - run: >- - python3 -m - pip install - build - --user - - name: Build a binary wheel and a source tarball - run: python3 -m build + - name: Prepare uv + run: | + pip install uv + uv venv --seed venv + - name: Build + run: | + . venv/bin/activate + uv build - name: Publish distribution 📦 to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - password: ${{ secrets.pypi_token }} - skip-existing: true + run: | + . venv/bin/activate + uv publish diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 4683a4fb4..0d1de2063 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -237,6 +237,9 @@ jobs: test-publishing: name: Build and publish Python 🐍 distributions 📦 to TestPyPI runs-on: ubuntu-latest + environment: testpypi + permissions: + id-token: write needs: - cache - prepare @@ -245,29 +248,41 @@ jobs: steps: - name: Check out committed code uses: actions/checkout@v4 - - name: Restore cached environment - id: cache-reuse - uses: plugwise/gh-actions/restore-venv@v1 - with: - cache-key: ${{ needs.cache.outputs.cache-key }} - python-version: ${{ env.DEFAULT_PYTHON }} - venv-dir: ${{ env.VENV }} - precommit-home: ${{ env.PRE_COMMIT_HOME }} - - name: Install pypa/build + - name: Prepare uv run: | + pip install uv + uv venv --seed venv . venv/bin/activate - uv pip install build - - name: Build a binary wheel and a source tarball + uv pip install toml + - name: Check for existing package on TestPyPI + id: check_package run: | . venv/bin/activate - python3 -m build - - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - continue-on-error: true - with: - password: ${{ secrets.testpypi_token }} - repository-url: https://test.pypi.org/legacy/ - skip-existing: true + PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])") + PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])") + + # Use jq to check for the version in the releases object + EXISTING_VERSIONS=$(curl -s "https://test.pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]') + + echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION" + + if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then + echo "Package version already exists. Skipping upload." + echo "should_publish=false" >> $GITHUB_OUTPUT + else + echo "Package version does not exist. Proceeding with upload." + echo "should_publish=true" >> $GITHUB_OUTPUT + fi + - name: Build + if: steps.check_package.outputs.should_publish == 'true' + run: | + . venv/bin/activate + uv build + - name: Publish distribution 📦 to TestPyPI + if: steps.check_package.outputs.should_publish == 'true' + run: | + . venv/bin/activate + uv publish --publish-url https://test.pypi.org/legacy/ complexity: name: Process test complexity diff --git a/CHANGELOG.md b/CHANGELOG.md index 858855752..51c94b70a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## Ongoing + +- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) + ## v1.7.7 - Implement code quality improvements as suggested by SonarCloud via [#762](https://github.com/plugwise/python-plugwise/pull/762), [#763](https://github.com/plugwise/python-plugwise/pull/763), [#764](https://github.com/plugwise/python-plugwise/pull/764), and [#765](https://github.com/plugwise/python-plugwise/pull/765) From c60e9d7d06563004e0246ae461f7fabec0643fbf Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Sun, 13 Jul 2025 19:03:57 +0200 Subject: [PATCH 2/5] CRAI nitpicks --- .github/workflows/merge.yml | 6 +++--- .github/workflows/verify.yml | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index b2b7ec25e..5d29e575e 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest environment: pypi permissions: - id-token: write + id-token: write # Only trigger on merges, not just closes if: github.event.pull_request.merged == true steps: @@ -38,8 +38,8 @@ jobs: - name: Build run: | . venv/bin/activate - uv build + uv build - name: Publish distribution 📦 to PyPI run: | . venv/bin/activate - uv publish + uv publish diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 0d1de2063..9d66760e9 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -57,7 +57,7 @@ jobs: ruff: runs-on: ubuntu-latest name: Ruff check and force - needs: + needs: - cache - prepare steps: @@ -126,7 +126,7 @@ jobs: pytest: runs-on: ubuntu-latest name: Run pytest using Python ${{ matrix.python-version }} - needs: + needs: - cache - prepare - commitcheck @@ -159,7 +159,7 @@ jobs: mypy: runs-on: ubuntu-latest name: Run mypy - needs: + needs: - cache - prepare - pytest @@ -205,7 +205,7 @@ jobs: coverage: name: Process test coverage runs-on: ubuntu-latest - needs: + needs: - cache - prepare - pytest @@ -239,7 +239,7 @@ jobs: runs-on: ubuntu-latest environment: testpypi permissions: - id-token: write + id-token: write needs: - cache - prepare @@ -287,7 +287,7 @@ jobs: complexity: name: Process test complexity runs-on: ubuntu-latest - needs: + needs: - cache - prepare - coverage From de4307e701e5e5170ce299b46d7012a599aa64ec Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 09:56:16 +0200 Subject: [PATCH 3/5] Version bump --- CHANGELOG.md | 4 ++-- pyproject.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 51c94b70a..52610f4da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # Changelog -## Ongoing +## Ongoing / 1.7.8a0 -- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) +- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) - released as alpha 1.7.8a0 to demonstrate functionality ## v1.7.7 diff --git a/pyproject.toml b/pyproject.toml index 4fc91a160..318c9b183 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "plugwise" -version = "1.7.7" +version = "1.7.8a0" license = "MIT" description = "Plugwise Smile (Adam/Anna/P1) and Stretch module for Python 3." readme = "README.md" From 179a4ee16fb7c4b41022f7c61c37be46a702a7a0 Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 11:34:21 +0200 Subject: [PATCH 4/5] Prevent action failure on merge for tooling --- .github/workflows/merge.yml | 28 +++++++++++++++++++++++----- CHANGELOG.md | 4 ++-- pyproject.toml | 2 +- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 5d29e575e..590b7e3da 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -26,20 +26,38 @@ jobs: steps: - name: Check out committed code uses: actions/checkout@v4 - - name: Set up Python ${{ env.DEFAULT_PYTHON }} - id: python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.DEFAULT_PYTHON }} - name: Prepare uv run: | pip install uv uv venv --seed venv + . venv/bin/activate + uv pip install toml + - name: Check for existing package on PyPI + id: check_package + run: | + . venv/bin/activate + PACKAGE_VERSION=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])") + PACKAGE_NAME=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['name'])") + + # Use jq to check for the version in the releases object + EXISTING_VERSIONS=$(curl -s "https://pypi.org/pypi/$PACKAGE_NAME/json" | jq '.releases | keys[]') + + echo "Checking for package: $PACKAGE_NAME==$PACKAGE_VERSION" + + if [[ "$EXISTING_VERSIONS" =~ "$PACKAGE_VERSION" ]]; then + echo "Package version already exists. Skipping upload." + echo "should_publish=false" >> $GITHUB_OUTPUT + else + echo "Package version does not exist. Proceeding with upload." + echo "should_publish=true" >> $GITHUB_OUTPUT + fi - name: Build + if: steps.check_package.outputs.should_publish == 'true' run: | . venv/bin/activate uv build - name: Publish distribution 📦 to PyPI + if: steps.check_package.outputs.should_publish == 'true' run: | . venv/bin/activate uv publish diff --git a/CHANGELOG.md b/CHANGELOG.md index 52610f4da..954b3fbb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # Changelog -## Ongoing / 1.7.8a0 +## Ongoing / 1.7.8a0+1 -- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) - released as alpha 1.7.8a0 to demonstrate functionality +- Chores move module publishing on (test)pypi to Trusted Publishing (and using uv) - released as alpha 1.7.8a0+1 to demonstrate functionality ## v1.7.7 diff --git a/pyproject.toml b/pyproject.toml index 318c9b183..435561b88 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "plugwise" -version = "1.7.8a0" +version = "1.7.8a1" license = "MIT" description = "Plugwise Smile (Adam/Anna/P1) and Stretch module for Python 3." readme = "README.md" From 2193a38a91499f1e73571a7b270b75a624748e9e Mon Sep 17 00:00:00 2001 From: Tom Scholten Date: Mon, 14 Jul 2025 11:52:29 +0200 Subject: [PATCH 5/5] CRAI suggestions --- .github/workflows/merge.yml | 3 ++- .github/workflows/verify.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 590b7e3da..e3df88c17 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -20,7 +20,8 @@ jobs: runs-on: ubuntu-latest environment: pypi permissions: - id-token: write + contents: read # Required by actions/checkout + id-token: write # Needed for OIDC-based Trusted Publishing # Only trigger on merges, not just closes if: github.event.pull_request.merged == true steps: diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 9d66760e9..3b94a21ae 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -239,7 +239,8 @@ jobs: runs-on: ubuntu-latest environment: testpypi permissions: - id-token: write + contents: read # Required by actions/checkout + id-token: write # Needed for OIDC-based Trusted Publishing needs: - cache - prepare