From 69d3f4d214e9f3d178a0019aba5bbb864d88d340 Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Wed, 11 Feb 2026 11:38:03 +0100 Subject: [PATCH] chore: utilize trusted publisher in prod release PyPI allows [publishing to PyPI with a Trusted Publisher](https://docs.pypi.org/trusted-publishers). This is allows it for production release. JIRA: TRIVIAL risk: low --- .github/workflows/build-release.yaml | 47 ++++++++++++++-------------- CONTRIBUTING.md | 11 +++++++ 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 5e0aebb0f..236dddcb3 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -14,23 +14,28 @@ on: tags: - v*.*.* -permissions: - contents: write +env: + COMPONENTS: '["gooddata-api-client","gooddata-pandas","gooddata-fdw","gooddata-sdk","gooddata-dbt","gooddata-flight-server","gooddata-flexconnect","gooddata-pipelines"]' jobs: + matrix-components: + name: Prepare matrix components + runs-on: ubuntu-latest + outputs: + components: ${{ steps.export.outputs.components }} + steps: + - name: Export components JSON + id: export + run: echo "components=${COMPONENTS}" >> "$GITHUB_OUTPUT" + build: name: Build all components + needs: matrix-components + permissions: + contents: read strategy: matrix: - component: - - gooddata-api-client - - gooddata-pandas - - gooddata-fdw - - gooddata-sdk - - gooddata-dbt - - gooddata-flight-server - - gooddata-flexconnect - - gooddata-pipelines + component: ${{ fromJSON(needs.matrix-components.outputs.components) }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -55,6 +60,8 @@ jobs: name: Create GitHub release runs-on: ubuntu-latest needs: build + permissions: + contents: write steps: - name: Obtain artifacts uses: actions/download-artifact@v4 @@ -83,18 +90,14 @@ jobs: publish: name: Publish components runs-on: ubuntu-latest - needs: build + needs: + - matrix-components + - build + permissions: + id-token: write strategy: matrix: - component: - - gooddata-api-client - - gooddata-pandas - - gooddata-fdw - - gooddata-sdk - - gooddata-dbt - - gooddata-flight-server - - gooddata-flexconnect - - gooddata-pipelines + component: ${{ fromJSON(needs.matrix-components.outputs.components) }} steps: - name: Obtain ${{ matrix.component }} artifacts uses: actions/download-artifact@v4 @@ -104,8 +107,6 @@ jobs: - name: Push ${{ matrix.component}} to pypi uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} packages-dir: dist/${{ matrix.component }} verbose: true slack-notification: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 49f3c5c36..e50682ae1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -40,6 +40,17 @@ ## Maintenance Tasks +### Adding a New Package + +When adding a new distributable package to this monorepo, update release automation and PyPI configuration together: + +1. Add the package name to `COMPONENTS` in: + - `.github/workflows/dev-release.yaml` + - `.github/workflows/build-release.yaml` +2. Verify the package is built by release workflows and artifacts are uploaded from its `dist/` directory. +3. Configure the package on PyPI to use Trusted Publisher for this repository/workflow combination. +4. Run/observe a release workflow and confirm publishing succeeds via OIDC (no `PYPI_API_TOKEN` required). + ### Adding Support for a New Python Version When adding support for a new Python version: