ci: publish release to testpypi from github actions

[laurentS]

This is a draft of what an automatic package publishing workflow could look like.

TODO:

• Add automatic changelogs
• Allow publishing only from master branch
• Restrict publishing to allowed contributors
• switch from testpypi to production pypi once everything else is done

[laurentS]

Proposed way forward from a chat with @twcurrie:
We can use github labels to mark PRs as release|patch, release|minor or release|major which in turn can trigger an automatic version bump and a new release when the corresponding PR is merged.

Action plan for this PR:

• make the testpypi workflow above work
• trigger the action from a github label (instead of current git tags) in a separate PR
• enforce semantic PR titles (example here). This should work now using the semantic-prs app.
• auto-update changelog based on PR titles Will leave this for a separate PR

[laurentS]

https://intuit.github.io/auto/ might be a useful tool for this task (although python support does not seem like a priority after a quick look)

[laurentS]

@twcurrie @thentgesMindee if you have a moment to take a look at this PR, it'd be great. I've tried to put together something simple to reduce friction when publishing releases.
There's some enforcement of semantic PR titles, and a workflow that's ready to publish to pypi. It's currently failing because the version already exists on testpypi, but nothing major.
Ideally, I'd love to add a tool to generate automatic changelogs, and bump versions. If you have any recommendations for python, please let me know.

[sanders41]

For the release notes I use release drafter, but this puts the changes in the release tag and not a CHANGELOG.md file so not exactly what you are looking for. Towncrier is one I have heard of, but have never used myself that can put the changes in a CHANGELOG.md.

[sanders41]

Poetry can also do the publish for you. I haven't tested publishing to test pypi before, but according to the configs I found I think I have it correct.

Suggested change

	- name: Build distribution tarball and wheel
	# TODO: restrict this to master branch only
	run: |
	poetry build
	- name: Publish distribution 📦 to Test PyPI
	# publish to testpypi on all commit just for testing this PR
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ secrets.TEST_PYPI_API_TOKEN }}
	repository-url: https://test.pypi.org/legacy/
	- name: Publish distribution 📦 to PyPI
	if: startsWith(github.ref, 'refs/tags')
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ secrets.PYPI_API_TOKEN }}
	- name: Install Dependencies
	run: |
	poetry install
	- name: Publish distribution 📦 to Test PyPI
	# publish to testpypi on all commit just for testing this PR
	run |
	# I believe publishing with password is depreciated and you you need a token instead?
	poetry config pypi-token.test-pypi ${{ secrets.TEST_PYPI_API_TOKEN }}
	poetry config repositories.test-pypi https://test.pypi.org/legacy/
	poetry publish -r test-pypi --build
	- name: Publish distribution 📦 to PyPI
	if: startsWith(github.ref, 'refs/tags')
	run |
	poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
	poetry publish --build

[Rested]

https://github.com/marketplace/actions/pypi-publish#trusted-publishing would recommend setting this up.

The way i like to do things in terms of publishing is have it so it pushes to pypi whenever a new version in the pyproject.toml is committed to main.

Could be a good first step and then use something like https://github.com/mikepenz/release-changelog-builder-action to generate change logs and releases later?

name: Tag and publish client library versions
on:
  push:
    branches:
      - main
jobs:
  autotag:
    permissions:
      contents: 'write'
      id-token: 'write'
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/slowapi

    outputs:
      tag-exists: ${{ steps.check-tag-exists.outcome }}
    steps:
      - name: Checkout
        uses: actions/[email protected]
        with:
          fetch-depth: 0
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11' 
      - name: Setup poetry
        run: |
          curl -sSL https://install.python-poetry.org | python3 - --version 1.5.0
          export PATH=$PATH:$HOME/.local/bin
      - name: Get version
        run: echo "VERSION=$(poetry version | cut -d ' ' -f2)" >> $GITHUB_ENV
      - name: Check tag exists for client library version
        id: check-tag-exists
        continue-on-error: true
        run: >
          git tag -l | grep v${{ env.VERSION }} || exit 1
      - name: Push tag if none exists
        if: ${{ steps.check-tag-exists.outcome == 'failure' }}
        uses: actions/github-script@v4
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            const fs = require('fs')
            github.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: `refs/tags/v${{ env.VERSION }}`,
              sha: context.sha
            })
      - name: Build artefact
        run: >
          poetry build
      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1