diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml new file mode 100644 index 000000000..2111e7992 --- /dev/null +++ b/.github/workflows/publish_to_pypi.yml @@ -0,0 +1,107 @@ +name: Publish xrpl-py 🐍 distribution 📦 to PyPI +on: + push: + tags: + - '*' + +jobs: + build: + name: Build distribution 📦 + runs-on: ubuntu-latest + env: + POETRY_VERSION: 1.8.3 + + steps: + - uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + # Use the lowest supported version of Python for CI/CD + python-version: "3.8" + - name: Load cached .local + id: cache-poetry + uses: actions/cache@v3 + with: + path: /home/runner/.local + key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }} + - name: Install poetry + if: steps.cache-poetry.outputs.cache-hit != 'true' + run: | + curl -sSL "https://install.python-poetry.org/" | python - --version "${{ env.POETRY_VERSION }}" + echo "${HOME}/.local/bin" >> $GITHUB_PATH + poetry --version || exit 1 # Verify installation + - name: Build a binary wheel and a source tarball + run: poetry build + - name: Store the distribution packages + uses: actions/upload-artifact@v4 + with: + name: python-package-distributions + path: dist/ + publish-to-pypi: + name: >- + Publish Python 🐍 distribution 📦 to PyPI + needs: build # Explicit dependency on build job + runs-on: ubuntu-latest + timeout-minutes: 10 # Adjust based on typical publishing time + permissions: + # More information about Trusted Publishing and OpenID Connect: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ + id-token: write # IMPORTANT: mandatory for trusted publishing + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Verify downloaded artifacts + run: | + ls dist/*.whl dist/*.tar.gz || exit 1 + - name: Publish distribution 📦 to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true + verify-metadata: true + + github-release: + name: >- + Sign the Python 🐍 distribution 📦 with Sigstore + and upload them to GitHub Release + needs: + - publish-to-pypi + runs-on: ubuntu-latest + timeout-minutes: 15 # Adjust based on typical signing and release time + + permissions: + contents: write # IMPORTANT: mandatory for making GitHub Releases + id-token: write # IMPORTANT: mandatory for sigstore + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: >- + ./dist/*.tar.gz + ./dist/*.whl + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + run: >- + gh release create + '${{ github.ref_name }}' + --repo '${{ github.repository }}' + --generate-notes || + (echo "::error::Failed to create release" && exit 1) + - name: Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. + # `dist/` contains the built packages, and the + # sigstore-produced signatures and certificates. + run: >- + gh release upload + '${{ github.ref_name }}' dist/** + --repo '${{ github.repository }}' diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index af34609b7..6a1b49cbe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -202,7 +202,18 @@ This should almost always be done using the [`xrpl-codec-gen`](https://github.co - Merge your changes. ### Release - +1. Please increment the version in `pyproject.toml` and update the `CHANGELOG.md` file appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +2. Please select a commit that is suitable for release and create a tag. The following commands can be helpful: +`git tag -s -a -m "Optional Message describing the tag"` +`git tag` -- This command displays all the tags in the repository. +`git push tag ` +3. A [Github Workflow](.github/workflows/publish_to_pypi.yml) completes the rest of the Release steps (building the project, generating a .whl and tarball, publishing on the PyPI platform). The workflow uses OpenID Connect's temporary keys to obtain the necessary PyPI authorization. +As a prerequisite, the PyPI `xrpl-py` project needs to authorize Github Actions as a "Trusted Publisher". This page contains helpful resources: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing +4. Send an email to [xrpl-announce](https://groups.google.com/g/xrpl-announce). +5. Post an announcement in the [XRPL Discord #python channel](https://discord.com/channels/886050993802985492/886053080913821717) with a link to the changes and highlighting key changes. + + +**Note: If maintainers prefer to manually release the xrpl-py software distribution, the below steps are relevant.** 1. Create a branch off main that properly increments the version in `pyproject.toml` and updates the `CHANGELOG` appropriately. We follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 2. Merge this branch into `main`. 3. Locally build and download the package. diff --git a/pyproject.toml b/pyproject.toml index 6605ea5ce..d86c1b9c4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] -name = "xrpl-py" -version = "3.0.0" +name = "xrpl-py-release-test-1" +version = "3.0.11" description = "A complete Python library for interacting with the XRP ledger" readme = "README.md" repository = "https://github.com/XRPLF/xrpl-py"