Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 23.6.0 #515

Merged
merged 12 commits into from
Jun 7, 2023
Merged

Release 23.6.0 #515

merged 12 commits into from
Jun 7, 2023

Conversation

adiroiban
Copy link
Member

Description

This is the release PR for 23.6.0

Fixes #514 and while doing this release we will test the new publishing method.

This is also the last release for python 3.7.
This is done to simplify our code.

I am just following the info from RELEASE.rst

@adiroiban adiroiban requested a review from a team as a code owner June 5, 2023 09:18
@adiroiban
Copy link
Member Author

needs-review

@hynek
Copy link
Member

hynek commented Jun 5, 2023

Just double-checking: is OIDC already configured for towncrier in PyPI? I don't think I've received and email about that. 🤔

@adiroiban
Copy link
Member Author

I am reading the docs and the initial announcement here https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ and my understanding is that OIDC is already enabled for all repos that are hosted on GitHub.

For now, only GitHub is supported :( ... but we are on GitHub, so this doesn't affects us.

@hynek
Copy link
Member

hynek commented Jun 5, 2023

It is enabled, but you still have to set some settings.

The project view has look something like this:

CleanShot 2023-06-05 at 12 18 51@2x

If it doesn't, you just have to fill out this form:

CleanShot 2023-06-05 at 12 19 24@2x

@adiroiban
Copy link
Member Author

I see... I don't have admin rights to towncrier in PyPi... the release just worked with the token from GitHub Secrets.

I will see if I/we can get admin rights for towncrier in PyPI

@hynek
Copy link
Member

hynek commented Jun 5, 2023

@glyph? 😇

@@ -194,6 +194,9 @@ jobs:
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert
name: Check tag and publish
runs-on: ubuntu-latest
permissions:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to additionally set an environment (I use release-pypi myself) which you then configure on PyPI to be the only one that is allowed to publish:

Suggested change
permissions:
environment: release-pypi
permissions:

My understanding is that it gets created automatically when used, but you can also manually add it to https://github.com/twisted/towncrier/settings/environments

Here's a quote from the publisher docs on PyPI:

The name of the GitHub Actions environment that the above workflow uses for publishing. This should be configured under the repository's settings. While not required, a dedicated publishing environment is strongly encouraged, especially if your repository has maintainers with commit access who shouldn't have PyPI publishing access.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I am not sure this is needed.

I hope we can keep the towncrier access security setting simple ... and fully trust anyone with write access to the main repo.

Fork should be ok as the forks should not get access to the GitHub Secrets and I hope PyPI will deny access to the OIDC token from forks :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hynek it looks like using the GHA environment has the unwanted side effect, that any CI run is now blocked and needs manual approval.

I tried to add a high-level conditional, but I see that the deploy request is still triggered.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eh ok leave it out for now and we’ll look another time. Sorry for the noise.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the environment thing is worth exploring ...

I guess that the deployment workflow is designed to be triggered as a side-effect of another workflow (with dispatch) ... and it's not designed to be executed as mixed job

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how I do it: https://github.com/hynek/structlog/blob/main/.github/workflows/pypi-package.yml

If you want, you can copy it verbatim and just change the trigger conditions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it make sense to have the release code in a separate workflow.

At the same time, I hope we can keep towncrier automation simple and have everything in a single file to make it easier to discover and see what is going on in GitHub Actions.


I don't know what's best here :|

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally think (as demonstrated :)) that CI and publishing are sufficiently distinct issues, that it absolutely makes sense to keep them apart. But that's not something we need / should solve here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to experiment with that and make another PR.

@adiroiban adiroiban deployed to release-pypi June 5, 2023 11:34 — with GitHub Actions Active
@glyph
Copy link
Member

glyph commented Jun 5, 2023

the twisted core team is now an owner of the towncrier project.

@adiroiban
Copy link
Member Author

Thanks @glyph . I have access twisted/towncrier and I have created the GitHub publisher.

But I still don't have access twisted/twisted

@glyph
Copy link
Member

glyph commented Jun 5, 2023

OK I guess the 'maintainer' role isn't sufficient for most tasks. I promoted 'core' to 'owner' on twisted/twisted

@adiroiban
Copy link
Member Author

I think this is ready for review.

The release notes are now visible in HTML format

https://towncrier--515.org.readthedocs.build/en/515/release-notes.html#

please review

@adiroiban adiroiban requested a review from a team June 5, 2023 21:27
Copy link
Member

@hynek hynek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is the small issue of an empty doc changelog entry that's my fault too, but nbd. if you want, fix that, otherwise go for it.

NEWS.rst Outdated
- Update link to Quick Start in configuration.html to point to Tutorial instead. (`#504 <https://github.com/twisted/towncrier/issues/504>`_)
- Add a note about the build command's ``--version`` requiring the command to be explicitly passed. (`#511 <https://github.com/twisted/towncrier/issues/511>`_)
- Fix typos in the Pre-Commit docs. (`#512 <https://github.com/twisted/towncrier/issues/512>`_)
- (`#513 <https://github.com/twisted/towncrier/issues/513>`_)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not great (and entirely my fault), but I don't think it's worth to stop the release over

is it possible for you to move it down to the misc list?

@@ -194,6 +194,9 @@ jobs:
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert
name: Check tag and publish
runs-on: ubuntu-latest
permissions:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally think (as demonstrated :)) that CI and publishing are sufficiently distinct issues, that it absolutely makes sense to keep them apart. But that's not something we need / should solve here.

@adiroiban
Copy link
Member Author

Yes. We definitely need to move the release/publish in a separate workflow.

The current workflow is confusing.

so ... release candidate is on pypi - https://pypi.org/project/towncrier/23.6.0rc1/

Published here - https://github.com/twisted/towncrier/actions/runs/5188156080/jobs/9351471004


I will prepare the final release

@hynek
Copy link
Member

hynek commented Jun 6, 2023

so ... release candidate is on pypi - https://pypi.org/project/towncrier/23.6.0rc1/

Published here - https://github.com/twisted/towncrier/actions/runs/5188156080/jobs/9351471004

Happy to see it worked out!

I will prepare the final release

Thanks for doing this!

@adiroiban
Copy link
Member Author

I have created a separate ticket to discuss moving the release in a separate file #519

final release done here https://github.com/twisted/towncrier/actions/runs/5200182732

The package is published https://pypi.org/project/towncrier/23.6.0/

I will now set the dev version and merge this PR.

Thanks for your help

@adiroiban
Copy link
Member Author

I have removed the PYPI_TOKEN secret from here https://github.com/twisted/towncrier/settings/secrets/actions ... this is the GHA side.

But I don't know where this token is defined inside PyPI.
I see that on GHA it was created on Updated on Dec 9, 2020
I can also see the log on PyPI with the token creation by @glyph - https://pypi.org/manage/project/towncrier/history/?page=2

Maybe the token is hosted in Glyphs PyPI profile.
Glyph, if you can find the Towncrier PyPI token , you can delete it :)

@adiroiban adiroiban enabled auto-merge (squash) June 7, 2023 13:07
@adiroiban adiroiban merged commit 878afb7 into trunk Jun 7, 2023
@adiroiban adiroiban deleted the release-23.6.0 branch June 7, 2023 13:09

For example, if there is an existing fragment named ``123.feature``,
then ``towncrier create 123.feature`` will now create a fragment
named ``123.feature.1``. (`#475 <https://github.com/twisted/towncrier/issues/475>`_)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub release tags don't seem to be able to render RST links such as this.

Is that a problem?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pandoc'ed it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Publish using the new PyPI and do a release to test
4 participants