Update the deploy CI to maximize safety/intent matching #162
Closed
Update the deploy CI to maximize safety/intent matching #162
Conversation
Refactor GitHub Actions workflow for PyPI releases: remove pull_request triggers, and add a checkout step. Simplify dependency installs (install build/twine/packaging together), drop pip cache, and move checkout. Add steps to install the package, verify the git tag matches the package version (using importlib.metadata), separate build and publish steps, and streamline the twine upload command. Also tidy output of built artifacts.
Relax tag matching for releases from 'v*.*.*' to 'v*' so post/rc tags are allowed while relying on the existing version check to validate tags. Add a concurrency group (pypi-release-${{ github.ref }}) and set cancel-in-progress: false to better control parallel release runs. Also streamline the twine upload step to a single-line command.
deruyter92
approved these changes
Feb 16, 2026
Collaborator
deruyter92
left a comment
There was a problem hiding this comment.
Great catch and absolutely good idea to fix this! See one comment below, but LGTM
Build distributions earlier in the GitHub Actions workflow and install the generated wheel (pip install dist/*.whl) for the version check instead of running pip install .; remove the duplicate build step. This ensures the tag vs package version verification uses the exact built artifact that will be published.
Member
|
I think it is working as I intended it, and matches other pipelines I use, so I would prefer to keep it as is please. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR refines the PyPI release workflow to make the release contract more explicit and more deterministic.
The workflow is now:
What changed
v*tagsrc/posttags.Impact
Future releases continue to work as before, with clearer guarantees around
intent and provenance.