ci: publish to PyPI and npm via trusted publishers#1701
Merged
maartenbreddels merged 3 commits intoApr 28, 2026
Conversation
Reuse the wheel/sdist/tgz artifacts already produced by the `build` job instead of rebuilding at release time. The artifact that visual regression tests validate is the one that gets uploaded. Two new jobs (`publish-pypi`, `publish-npm`) gated on `[build, visual-regression-tests]`. They run on every PR/push in dry-run mode (`twine check`, `npm publish --dry-run`) and only do real uploads when triggered by a `release: published` event, via OIDC trusted publishers — no PYPI_TOKEN, no NPM_TOKEN. The npm dry-run is skipped with a notice when the version is already published, since `npm publish --dry-run` still validates against the registry and would otherwise fail every PR that doesn't bump the version. Version-sanity check on real release: fails if the GitHub Release tag doesn't match the wheel version, or if the npm version is already on the registry. Also added `twine check` to the `build` job so PR CI catches metadata issues early, and Python 3.12 to the install matrix. Inspired by the test/release workflows in widgetti/solara and widgetti/ipyvuetify. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Document the GitHub-Release-driven flow as the primary path; keep the legacy manual process as a deprecated fallback section. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
624363d to
7d6eed3
Compare
Bump python (0.12.45 → 0.12.46) and js (0.5.46 → 0.5.47) versions to exercise the trusted-publisher dry-run path on this PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
|
@meeseeksdev backport to master |
1 similar comment
Member
|
@meeseeksdev backport to master |
|
Owee, I'm MrMeeseeks, Look at me. There seem to be a conflict, please backport manually. Here are approximate instructions:
And apply the correct labels and milestones. Congratulations — you did some good work! Hopefully your backport PR will be tested by the continuous integration and merged soon! Remember to remove the If these instructions are inaccurate, feel free to suggest an improvement. |
martinRenou
added a commit
that referenced
this pull request
Apr 30, 2026
* ci: publish to PyPI and npm via trusted publishers Reuse the wheel/sdist/tgz artifacts already produced by the `build` job instead of rebuilding at release time. The artifact that visual regression tests validate is the one that gets uploaded. Two new jobs (`publish-pypi`, `publish-npm`) gated on `[build, visual-regression-tests]`. They run on every PR/push in dry-run mode (`twine check`, `npm publish --dry-run`) and only do real uploads when triggered by a `release: published` event, via OIDC trusted publishers — no PYPI_TOKEN, no NPM_TOKEN. The npm dry-run is skipped with a notice when the version is already published, since `npm publish --dry-run` still validates against the registry and would otherwise fail every PR that doesn't bump the version. Version-sanity check on real release: fails if the GitHub Release tag doesn't match the wheel version, or if the npm version is already on the registry. Also added `twine check` to the `build` job so PR CI catches metadata issues early, and Python 3.12 to the install matrix. Inspired by the test/release workflows in widgetti/solara and widgetti/ipyvuetify. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: update RELEASE.md for trusted-publisher release flow Document the GitHub-Release-driven flow as the primary path; keep the legacy manual process as a deprecated fallback section. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix conflict * Fix dist name --------- Co-authored-by: Maarten Breddels <maartenbreddels@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dist/artifact already produced by thebuildjob (wheel, sdist, npm tarball) instead of rebuilding at release time. The artifact that visual regression tests validate is the one that gets uploaded.publish-pypiandpublish-npmjobs gated on[build, visual-regression-tests]. They run on every PR/push in dry-run mode (twine check,npm publish --dry-run) and only do real uploads when triggered by arelease: publishedevent, via OIDC trusted publishers (noPYPI_TOKENorNPM_TOKEN).twine check dist/*to thebuildjob so PR CI catches metadata issues early.Inspired by the test/release workflows in solara and ipyvuetify.
One-time setup (already done by maintainer)
build.yml, environmentrelease-pypi).build.yml, environmentrelease-npm).release-pypiandrelease-npmcreated in the repo.Release flow after this lands
bqplot/_version.pyandjs/package.json, commit, push.0.12.46, novprefix).Test plan
build, thenpublish-pypi(dry-run) andpublish-npm(dry-run) without any environment-approval prompt and without touching the registries.twine checkpasses on the built wheel/sdist.npm publish --dry-runreports the expected tarball contents.🤖 Generated with Claude Code