feat(ci): switch to uv publish for PyPI uploads#13991
feat(ci): switch to uv publish for PyPI uploads#13991
Conversation
|
(My plan here is to make |
| attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }} | ||
| # uv is present because attest-action installs it. | ||
| run: | | ||
| uv publish --trusted-publishing=always dist/* |
There was a problem hiding this comment.
Is uv in the base image? If not, it's not installed here.
There was a problem hiding this comment.
It's installed implicitly via attest-action, since workspace tools are global state. I find this kind of spooky/scary though.
There was a problem hiding this comment.
Oh I just realized this won't work, since attest-action only runs conditionally on it being a push to prod pypi.
There was a problem hiding this comment.
Yep, was going to fix it today. Sorry for the re-ping from the new activity.
There was a problem hiding this comment.
Okay, I've added a setup-uv to ensure uv is always present. This feels kind of wrong given that you use python -m pip install -c ci-constraints-requirements.txt 'uv' elsewhere, but the alternative would be to increase the size of the publish job here significantly (with a checkout + setup-python).
Signed-off-by: William Woodruff <william@yossarian.net>
woodruffw
force-pushed
the
ww/uv-publish
branch
from
869551c to
dd8268e
Compare
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
| - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 | ||
| with: | ||
| save-cache: false |
There was a problem hiding this comment.
Does this also hash pin the version of uv that's installed?
There was a problem hiding this comment.
Yes, although it's a floating resolution (the action knows all of the hashes, and selects the latest version). That doesn't seem ideal though, and it's an additional failure point with GitHub's unreliability. I'm going to switch it to the same constraint approach you use elsewhere 🙂
There was a problem hiding this comment.
Yeah, we want everything pinned to a particular version. Only way to avoid shit breaking when we need it to work.
2 participants
This switches
pypi-publish.ymlfromgh-action-pypi-publishtouv publish. The upload itself is still through Trusted Publishing, and attestations are preserved throughastral-sh/attest-action(which can be removed in the medium-term, onceuv publishitself supports attestation generation).Noting a few things from conversation with @reaperhulk:
uv publishdirectly, since the uv binary is configured on the$PATHimplicitly viaastral-sh/attest-action. This is arguably undesirable, since cryptography otherwise pins uv via a requirements file.astral-sh/attest-actiondoesn't attempt to pin it (besides a lower bound for compatibility). This is "ok" from Astral's own trust domain, but it might not be what you want in your release pathway for stability/reproducibility purposes.TL;DR: This all works, but the current approach may not be what you want in terms of version pinning.