Skip to content

Add CI/CD job to upload Windows wheels (and a sdist) to PyPI

Facundo Tuesca requested to merge facutuesca/m2crypto:windows-wheels into master

Description

This MR adds two new GitLab CI/CD jobs:

  • build-sdist: A job with the only purpose of building the source distribution .tar.gz that will be uploaded to PyPI
  • release-pypi: A job that gathers the wheel artifacts of the Windows builds and the sdist from build-sdist and uploads them to PyPI

The release-pypi job is configured so that it can only be run manually from the GitLab UI, and only for pipelines triggered by pushing a version tag. This is what it would look like from the POV of the maintainer:

  1. Create a tag for the new version with git tag 0.40.X
  2. Push the tag with git push --tags
  3. Look at the pipelines being run (here). Something like this will be shown, where the first stage (build) is being run:
  1. Once the first stage finishes (and all the artifacts are available), the maintainer has the option of manually running the deploy stage:
  1. When run, it will gather the artifacts from the Windows builds and the sdist, and upload them to PyPI using Trusted Publishing (see below)

PyPI configuration (Trusted Publishing)

To avoid generating and maintaining a long-lived PyPI token to authorize uploads, the release-pypi job uses Trusted Publishing. This means that PyPI is configured to trust GitLab CI/CD workflows coming from gitlab.com/m2crypto/m2crypto, and allows them to mint a short-lived PyPI token which can be used by that job to upload files to the project. The advantage is that there is no long-term valid token that could be compromised (as with traditional PyPI tokens), but rather a new, short-lived token is generated for each release-pypi job run.

To configure it, these are the steps (adapted from the official docs)

  1. While logged in to PyPI, go to https://pypi.org/manage/project/m2crypto/settings/publishing/
  2. In the "Add new trusted publisher" section, select the GitLab tab
  3. Fill in the fields, like so:
  1. (Note that the "Environment name" field is left empty, release is just a suggested string)
  2. Click on Add. The new trusted publisher should now be visible in the "Manage current publishers" section:
  1. Done! Now when release-pypi runs, it will automatically contact PyPI to mint a short-lived PyPI token that will allow it to upload files to the M2Crypto PyPY project.

Merge request reports