fix(release): use commit SHA, not annotated-tag SHA, for pypa publish… #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to PyPI | |
| # Release flow: | |
| # 1. Bump `version` in pyproject.toml on main. | |
| # 2. `git tag -a vX.Y.Z -m "Release X.Y.Z" && git push origin vX.Y.Z` | |
| # The tag MUST match pyproject.toml's version exactly (with the `v` prefix). | |
| # 3. This workflow builds the package, publishes to PyPI via OIDC trusted | |
| # publishing, and creates a GitHub Release with auto-generated notes. | |
| # | |
| # Do not run `python -m build && twine upload` locally — that bypasses the | |
| # version check and leaves no GitHub Release. PyPI rejects duplicate | |
| # version uploads, so if the workflow fails after PyPI publish succeeded, | |
| # manually create the missing GitHub Release with `gh release create vX.Y.Z`. | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| environment: pypi | |
| permissions: | |
| id-token: write # OIDC trusted publishing to PyPI | |
| contents: write # Create GitHub Release | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.2.2 | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Verify tag matches pyproject.toml version | |
| run: | | |
| tag="${GITHUB_REF_NAME#v}" | |
| pkg_version=$(python -c "import tomllib,pathlib; print(tomllib.loads(pathlib.Path('pyproject.toml').read_text())['project']['version'])") | |
| if [ "$tag" != "$pkg_version" ]; then | |
| echo "::error::Tag v$tag does not match pyproject.toml version $pkg_version" | |
| exit 1 | |
| fi | |
| - name: Install build tools | |
| run: pip install build | |
| - name: Build package | |
| run: python -m build | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1.14.0 | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: ${{ github.ref_name }} | |
| generate_release_notes: true | |
| files: dist/* |