From f5b9df1719e9e59772c3701e02cf708f30b6c2f9 Mon Sep 17 00:00:00 2001 From: C-Achard Date: Mon, 16 Feb 2026 16:09:49 +0100 Subject: [PATCH 1/3] Safer workflow: Update PyPI release workflow Refactor GitHub Actions workflow for PyPI releases: remove pull_request triggers, and add a checkout step. Simplify dependency installs (install build/twine/packaging together), drop pip cache, and move checkout. Add steps to install the package, verify the git tag matches the package version (using importlib.metadata), separate build and publish steps, and streamline the twine upload command. Also tidy output of built artifacts. --- .github/workflows/python-package.yml | 62 ++++++++++++---------------- 1 file changed, 27 insertions(+), 35 deletions(-) diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 00f7a37..cdac6cc 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -1,59 +1,51 @@ -name: Update pypi release +name: Update PyPI release on: push: tags: - 'v*.*.*' - pull_request: - branches: - - main - - public - types: - - labeled - - opened - - edited - - synchronize - - reopened jobs: release: runs-on: ubuntu-latest steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Python - id: setup-python uses: actions/setup-python@v5 with: python-version: '3.x' - - name: Cache dependencies - id: pip-cache - uses: actions/cache@v4 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('pyproject.toml', 'requirements.txt', 'setup.cfg', 'setup.py') }} - restore-keys: | - ${{ runner.os }}-pip-${{ steps.setup-python.outputs.python-version }}- - ${{ runner.os }}-pip- - - - name: Install dependencies + - name: Install build dependencies run: | pip install --upgrade pip - pip install wheel - pip install "packaging>=24.2" - pip install build - pip install twine + pip install build twine "packaging>=24.2" - - name: Checkout code - uses: actions/checkout@v4 + - name: Install package (for version check) + run: pip install . - - name: Build and publish to PyPI - if: ${{ github.event_name == 'push' }} + - name: Verify tag matches package version + run: | + TAG_VERSION="${GITHUB_REF_NAME#v}" + PKG_VERSION=$(python - < Date: Mon, 16 Feb 2026 16:14:56 +0100 Subject: [PATCH 2/3] Allow flexible PyPI tag pattern and add concurrency Relax tag matching for releases from 'v*.*.*' to 'v*' so post/rc tags are allowed while relying on the existing version check to validate tags. Add a concurrency group (pypi-release-${{ github.ref }}) and set cancel-in-progress: false to better control parallel release runs. Also streamline the twine upload step to a single-line command. --- .github/workflows/python-package.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index cdac6cc..854f073 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -3,7 +3,15 @@ name: Update PyPI release on: push: tags: - - 'v*.*.*' + # v*.*.* does NOT allow post/rc tags + # the "matching with version" check ensures that + # the tag version matches the package version, + # so we can allow more flexible tag formats here + - 'v*' + +concurrency: + group: pypi-release-${{ github.ref }} + cancel-in-progress: false jobs: release: @@ -47,5 +55,4 @@ jobs: env: TWINE_USERNAME: __token__ TWINE_PASSWORD: ${{ secrets.TWINE_API_KEY }} - run: | - python -m twine upload --verbose dist/* + run: python -m twine upload --verbose dist/* From bacf28413abf44b16fa4173fdd731c1e811ad654 Mon Sep 17 00:00:00 2001 From: C-Achard Date: Mon, 16 Feb 2026 17:47:40 +0100 Subject: [PATCH 3/3] Use built wheel for version check in CI Build distributions earlier in the GitHub Actions workflow and install the generated wheel (pip install dist/*.whl) for the version check instead of running pip install .; remove the duplicate build step. This ensures the tag vs package version verification uses the exact built artifact that will be published. --- .github/workflows/python-package.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 854f073..a29dfcf 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -31,8 +31,13 @@ jobs: pip install --upgrade pip pip install build twine "packaging>=24.2" - - name: Install package (for version check) - run: pip install . + - name: Build distributions + run: | + python -m build + ls -l dist/ + + - name: Install wheel (for version check) + run: pip install dist/*.whl - name: Verify tag matches package version run: | @@ -46,11 +51,6 @@ jobs: echo "Package version: $PKG_VERSION" test "$TAG_VERSION" = "$PKG_VERSION" - - name: Build distributions - run: | - python -m build - ls -l dist/ - - name: Publish to PyPI env: TWINE_USERNAME: __token__