fix: Allow the PyPI publishing workflows to be used as reusable workf…

…lows by requiring a token for uploading the package (#26) * fix: Allow the PyPI publishing workflows to be used as reusable workflows by requiring a token for uploading the package. * docs: Update changelog
tektronix · Aug 28, 2024 · 71d12d0 · 71d12d0
1 parent 8b3a3d6
commit 71d12d0
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 6 deletions.
diff --git a/.github/workflows/_reusable-package-release.yml b/.github/workflows/_reusable-package-release.yml
@@ -72,6 +72,14 @@ on:
         description: The public SSH key linked to the `secrets.ssh-signing-key-private`
           key that will be used to sign the commit and tag created by `python-semantic-release`.
         required: true
+      pypi-api-token:
+        description: The API token for the package on pypi.org. If `build-and-publish-python-package`
+          is set to `true`, this input must be provided or the build will fail.
+        required: false
+      test-pypi-api-token:
+        description: The API token for the package on test.pypi.org. If `build-and-publish-python-package`
+          is set to `true`, this input must be provided or the build will fail.
+        required: false
 concurrency:
   group: pypi (Reusable Workflows)
 env:
@@ -181,6 +189,7 @@ jobs:
       - name: Upload package to Test PyPI
         uses: pypa/[email protected]
         with:
+          password: ${{ secrets.test-pypi-api-token }}
           repository-url: https://test.pypi.org/legacy/
   # Upload the official package version to PyPI
   upload-pypi:
@@ -200,6 +209,8 @@ jobs:
           path: dist
       - name: Upload package to PyPI
         uses: pypa/[email protected]
+        with:
+          password: ${{ secrets.pypi-api-token }}
   # Upload the official package binaries to the GitHub Release
   upload-github:
     name: Upload package to GitHub Release

diff --git a/.github/workflows/_reusable-package-testpypi.yml b/.github/workflows/_reusable-package-testpypi.yml
@@ -12,6 +12,10 @@ on:
           format `owner/repo`.
         required: true
         type: string
+    secrets:
+      test-pypi-api-token:
+        description: The API token for the package on test.pypi.org.
+        required: true
 concurrency:
   group: pypi (Reusable Workflows)
 env:
@@ -54,6 +58,7 @@ jobs:
       - name: Upload package to Test PyPI
         uses: pypa/[email protected]
         with:
+          password: ${{ secrets.test-pypi-api-token }}
           repository-url: https://test.pypi.org/legacy/
   test-pypi-install:
     name: Install package from test.pypi.org

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,10 @@ Valid subsections within a version are:
 
 Things to be included in the next release go here.
 
+### Changed
+
+- Updated the `_reusable-package-testpypi.yml` and `_reusable-package-release.yml` workflows to use a token for uploading Python packages to TestPyPI and PyPI.
+
 ---
 
 ## v1.0.3 (2024-08-28)

diff --git a/workflows/package-release.md b/workflows/package-release.md
@@ -74,18 +74,23 @@ will be used to fill in the GitHub Release Notes.
 | `commit-user-email`                | required  | The email of the user to use when committing changes to the repository.                                                                                                                        |                                             |
 | `release-level`                    | required  | The level of the release to create. Must be one of `major`, `minor`, or `patch`.                                                                                                               |                                             |
 | `build-and-publish-python-package` | optional  | A boolean value that determines whether to build and publish the Python package. If set to `false`, the package binaries will not be built or published to PyPI, TestPyPI, or GitHub Releases. | `true`                                      |
-| `python-versions-array`            | optional  | A valid JSON array of Python versions to test against.                                                                                                                                         |                                             |
+| `python-versions-array`            | optional  | A valid JSON array of Python versions to test against. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail.                      |                                             |
 | `operating-systems-array`          | optional  | A valid JSON array of operating system names to run tests on.                                                                                                                                  | `'["ubuntu", "windows", "macos"]'`          |
 | `previous-changelog-filepath`      | optional  | The full path of the file to copy the contents of the changelog into for use in the `python-semantic-release` templates.                                                                       | `'.previous_changelog_for_template.md'`     |
 | `previous-release-notes-filepath`  | optional  | The full path of the file to copy the contents of the `## Unreleased` section of the changelog into for use in the GitHub Release Notes.                                                       | `'.previous_release_notes_for_template.md'` |
 
 ## Secrets
 
-| Secret variable           | Necessity | Description                                                                                                                                                     |
-| ------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `checkout-token`          | required  | The token to use for checking out the repository, must have permissions to write back to the repository.                                                        |
-| `ssh-signing-key-private` | required  | A private SSH key associated with the account that owns the `checkout-token` that will be used to sign the commit and tag created by `python-semantic-release`. |
-| `ssh-signing-key-public`  | required  | The public SSH key linked to the `secrets.ssh-signing-key-private` key that will be used to sign the commit and tag created by `python-semantic-release`.       |
+| Secret variable           | Necessity | Description                                                                                                                                                        |
+| ------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `checkout-token`          | required  | The token to use for checking out the repository, must have permissions to write back to the repository.                                                           |
+| `ssh-signing-key-private` | required  | A private SSH key associated with the account that owns the `checkout-token` that will be used to sign the commit and tag created by `python-semantic-release`.    |
+| `ssh-signing-key-public`  | required  | The public SSH key linked to the `secrets.ssh-signing-key-private` key that will be used to sign the commit and tag created by `python-semantic-release`.          |
+| `pypi-api-token`          | required  | The API token for the package on pypi.org. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail.      |
+| `test-pypi-api-token`     | required  | The API token for the package on test.pypi.org. If `inputs.build-and-publish-python-package` is set to `true`, this input must be provided or the build will fail. |
+
+> [!CAUTION]
+> If a Python package is intended to be built and published, **the `pypi-api-token` and `test-pypi-api-token` secrets must be provided**.
 
 ## Example
 
@@ -127,6 +132,8 @@ jobs:
       checkout-token: ${{ secrets.CHECKOUT_TOKEN }}
       ssh-signing-key-private: ${{ secrets.SSH_SIGNING_KEY_PRIVATE }}
       ssh-signing-key-public: ${{ secrets.SSH_SIGNING_KEY_PUBLIC }}
+      pypi-api-token: ${{ secrets.PYPI_API_TOKEN }}
+      test-pypi-api-token: ${{ secrets.TEST_PYPI_API_TOKEN }}
 ```
 
 [workflow-file]: ../.github/workflows/_reusable-package-release.yml
diff --git a/workflows/package-testpypi.md b/workflows/package-testpypi.md
@@ -47,6 +47,12 @@ officially released version of the package, incrementing `N` each time the workf
 | `package-name` | required  | The name of the package to build, upload, and install.                              |         |
 | `repo-name`    | required  | The full name of the repository to use to gate uploads, in the format `owner/repo`. |         |
 
+## Secrets
+
+| Secret variable       | Necessity | Description                                     |
+| --------------------- | --------- | ----------------------------------------------- |
+| `test-pypi-api-token` | required  | The API token for the package on test.pypi.org. |
+
 ## Example
 
 ```yaml
@@ -66,6 +72,8 @@ jobs:
       contents: read
       id-token: write
       attestations: write
+    secrets:
+      test-pypi-api-token: ${{ secrets.TEST_PYPI_API_TOKEN }}
 ```
 
 [workflow-file]: ../.github/workflows/_reusable-package-testpypi.yml