-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 23.6.0 #515
Release 23.6.0 #515
Conversation
needs-review |
Just double-checking: is OIDC already configured for towncrier in PyPI? I don't think I've received and email about that. 🤔 |
I am reading the docs and the initial announcement here https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ and my understanding is that OIDC is already enabled for all repos that are hosted on GitHub. For now, only GitHub is supported :( ... but we are on GitHub, so this doesn't affects us. |
I see... I don't have admin rights to I will see if I/we can get admin rights for |
@glyph? 😇 |
@@ -194,6 +194,9 @@ jobs: | |||
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert | |||
name: Check tag and publish | |||
runs-on: ubuntu-latest | |||
permissions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to additionally set an environment (I use release-pypi
myself) which you then configure on PyPI to be the only one that is allowed to publish:
permissions: | |
environment: release-pypi | |
permissions: |
My understanding is that it gets created automatically when used, but you can also manually add it to https://github.com/twisted/towncrier/settings/environments
Here's a quote from the publisher docs on PyPI:
The name of the GitHub Actions environment that the above workflow uses for publishing. This should be configured under the repository's settings. While not required, a dedicated publishing environment is strongly encouraged, especially if your repository has maintainers with commit access who shouldn't have PyPI publishing access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I am not sure this is needed.
I hope we can keep the towncrier access security setting simple ... and fully trust anyone with write access to the main repo.
Fork should be ok as the forks should not get access to the GitHub Secrets and I hope PyPI will deny access to the OIDC token from forks :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hynek it looks like using the GHA environment has the unwanted side effect, that any CI run is now blocked and needs manual approval.
I tried to add a high-level conditional, but I see that the deploy request is still triggered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eh ok leave it out for now and we’ll look another time. Sorry for the noise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the environment thing is worth exploring ...
I guess that the deployment workflow is designed to be triggered as a side-effect of another workflow (with dispatch) ... and it's not designed to be executed as mixed job
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how I do it: https://github.com/hynek/structlog/blob/main/.github/workflows/pypi-package.yml
If you want, you can copy it verbatim and just change the trigger conditions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it make sense to have the release code in a separate workflow.
At the same time, I hope we can keep towncrier
automation simple and have everything in a single file to make it easier to discover and see what is going on in GitHub Actions.
I don't know what's best here :|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally think (as demonstrated :)) that CI and publishing are sufficiently distinct issues, that it absolutely makes sense to keep them apart. But that's not something we need / should solve here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to experiment with that and make another PR.
the twisted core team is now an owner of the towncrier project. |
Thanks @glyph . I have access twisted/towncrier and I have created the GitHub publisher. But I still don't have access twisted/twisted |
OK I guess the 'maintainer' role isn't sufficient for most tasks. I promoted 'core' to 'owner' on twisted/twisted |
I think this is ready for review. The release notes are now visible in HTML format https://towncrier--515.org.readthedocs.build/en/515/release-notes.html# please review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is the small issue of an empty doc changelog entry that's my fault too, but nbd. if you want, fix that, otherwise go for it.
NEWS.rst
Outdated
- Update link to Quick Start in configuration.html to point to Tutorial instead. (`#504 <https://github.com/twisted/towncrier/issues/504>`_) | ||
- Add a note about the build command's ``--version`` requiring the command to be explicitly passed. (`#511 <https://github.com/twisted/towncrier/issues/511>`_) | ||
- Fix typos in the Pre-Commit docs. (`#512 <https://github.com/twisted/towncrier/issues/512>`_) | ||
- (`#513 <https://github.com/twisted/towncrier/issues/513>`_) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not great (and entirely my fault), but I don't think it's worth to stop the release over
is it possible for you to move it down to the misc list?
@@ -194,6 +194,9 @@ jobs: | |||
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert | |||
name: Check tag and publish | |||
runs-on: ubuntu-latest | |||
permissions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally think (as demonstrated :)) that CI and publishing are sufficiently distinct issues, that it absolutely makes sense to keep them apart. But that's not something we need / should solve here.
Yes. We definitely need to move the release/publish in a separate workflow. The current workflow is confusing. so ... release candidate is on pypi - https://pypi.org/project/towncrier/23.6.0rc1/ Published here - https://github.com/twisted/towncrier/actions/runs/5188156080/jobs/9351471004 I will prepare the final release |
Happy to see it worked out!
Thanks for doing this! |
I have created a separate ticket to discuss moving the release in a separate file #519 final release done here https://github.com/twisted/towncrier/actions/runs/5200182732 The package is published https://pypi.org/project/towncrier/23.6.0/ I will now set the dev version and merge this PR. Thanks for your help |
I have removed the But I don't know where this token is defined inside PyPI. Maybe the token is hosted in Glyphs PyPI profile. |
|
||
For example, if there is an existing fragment named ``123.feature``, | ||
then ``towncrier create 123.feature`` will now create a fragment | ||
named ``123.feature.1``. (`#475 <https://github.com/twisted/towncrier/issues/475>`_) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GitHub release tags don't seem to be able to render RST links such as this.
Is that a problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've pandoc'ed it now.
Description
This is the release PR for 23.6.0
Fixes #514 and while doing this release we will test the new publishing method.
This is also the last release for python 3.7.
This is done to simplify our code.
I am just following the info from RELEASE.rst