gh-action-pypi-publish VS python-ms

> Recently I've seen someone on Reddit trying to automate the creation of PyPI projects through GitHub Actions. The person was complaining that the first deployment couldn't use an API key for that project since it didn't exist. So I'm not surprised some people are trying to do the same for malicious purposes.

Sorry for the tangent, but: you can do this now! If you use trusted publishing, you can register a "pending publisher" for a project that doesn't exist yet. When the trusted publisher (like GitHub Actions) is used, it'll create the project[1].

All of this is supported transparently by the official publishing action for GitHub Actions[2].

[1]: https://docs.pypi.org/trusted-publishers/creating-a-project-...

[2]: https://github.com/pypa/gh-action-pypi-publish

In the documentation example, I see that the action yaml file contains the line uses: pypa/gh-action-pypi-publish@release/v1. I have never done this before and almost went with that, but I am not sure why the example shows v1 hardcoded, so I don't think I actually want this to happen. It doesn't seem to be well explained though, and the pypi-publish action repo was also quiet on this. Is this saying that it will create a release branch in my repo and call the release v1? Or how will this appear after I've done it? Will I have to manually change this v1 to v0.1.1 in the actions file AND the pyproject.toml?

Yeah, you're uploading to PyPi in your pipeline, great. The custom github action still uses twine because the stdlib falls short on BASIC security. https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/twine-upload.sh

I never bothered with pypi myself but I hope the nudge into github actions helps you. I've found the following promising github action: https://github.com/pypa/gh-action-pypi-publish

Traditionally, you import a package and then use things from it to do a task. However, it is actually possible to have the import itself do stuff; I used this technique in python_ms to replicate the original JS module down to its import. And fuckit did it way before that.

As a side note, if you use GitHub Actions or a similar CI/CD system, you can use a matrix or equivalent to create builds or run tests on various different operating systems and Python versions, so you might not even need to worry about running multiple Python versions locally. For example, I use that to build releases for multiple platforms, and to run comprehensive test suites in all configurations.

At first I considered this one, but since it does some funky stuff with sys.path I figured that might confuse you if you started to follow everything to the letter. Otherwise it would probably be more suitable.

I don't really have any simple project examples that use databases (the closest thing would be a certain server project, which is probably too complex for you right now), but to showcase project structure I can suggest python_ms.

I'm also rather fond of GitHub Actions, so I'd create additional scripts for Dependabot updates and some linters/Black to automatically run on every push/pull request. Maybe even automating the PyPI publishing process via Git version tags, and adding releases to GitHub. For that, I believe python_ms is a decent example.

First impressions; I kinda wish the code was in its own subdirectory as generally speaking the repository root is for metadata files/build scripts only. This project will probably serve as a decent example of that.

I also recommend at least looking into letting a CI/CD pipeline handle this for you (for example GitHub Actions) because that way you don't need to expose your API key in the repository, or risk committing secrets in general. As an example, here's my Actions script for uploading new python-ms releases.

Having a pretty README also can't hurt, I'm particularly proud of this one: https://github.com/Diapolo10/python-ms/blob/main/README.md

As far as examples go, I think my EguiValet server project might suffice for this one. It's probably a bit bigger than whatever you're working on, but python_ms would probably be too bare-bones in this case.

If you want an example, python_ms will probably work. I decided to publish on merged pull requests to main instead of waiting for tags (I should probably change that in my template by now), and it's using Poetry, but it's my smallest project that's easy enough to follow in a short time.