Tag-driven versioning and PyPI release automation (#14)#20
Merged
Conversation
Add .github/workflows/release.yml that builds and publishes the package using PyPI Trusted Publishing (OIDC), so no API tokens are stored in GitHub: - build job: `python -m build` + `twine check`, uploads dist artifacts. - publish-pypi: runs on a published GitHub Release -> uploads to PyPI (environment: pypi). - publish-testpypi: runs on manual dispatch -> uploads to TestPyPI for staging (environment: testpypi). Requires a one-time "pending publisher" configured on PyPI/TestPyPI; setup steps are documented in the workflow header. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
Make the git tag the single source of truth for the package version, so releasing no longer requires editing a hardcoded version string: - pyproject.toml: switch to setuptools-scm (build-system requires + [tool.setuptools_scm] writing domain_security_analyzer/_version.py); drop the static [tool.setuptools.dynamic] attr. - __version__.py: resolve the version at runtime from installed package metadata, falling back to the setuptools-scm _version.py in a source tree. - Bump requires-python to >=3.8 (3.7 is EOL; importlib.metadata is stdlib from 3.8) and refresh classifiers (drop 3.7, add 3.12). - CI/release: checkout with fetch-depth: 0 so setuptools-scm sees tags. - gitignore the generated _version.py. A clean checkout of tag `vX.Y.Z` now builds exactly version `X.Y.Z`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
Add a `push: tags: ['v*']` trigger to release.yml so a tag push publishes to PyPI directly (no GitHub Release required): `git tag v1.2.3 && git push origin v1.2.3`. The publish-pypi job now runs on either a tag push or a published GitHub Release; manual dispatch still targets TestPyPI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the git tag the single source of truth for the version (via setuptools-scm) and wires up automated PyPI publishing through Trusted Publishing (OIDC). Completes the release tooling for #14 — no hardcoded version strings, no stored API tokens.
What changed
Versioning (setuptools-scm)
pyproject.toml: switched to setuptools-scm ([tool.setuptools_scm]writesdomain_security_analyzer/_version.py); removed the static[tool.setuptools.dynamic]attr.__version__.py: resolves the version at runtime from installed package metadata, falling back to the generated_version.pyin a source tree.requires-pythonto>=3.8(3.7 is EOL;importlib.metadatais stdlib from 3.8) and refreshed classifiers (drop 3.7, add 3.12)..gitignores the generated_version.py.Release automation (
.github/workflows/release.yml)pypa/gh-action-pypi-publishwith Trusted Publishing (OIDC) — no tokens in GitHub.v*tag → build + publish to PyPIbuildjob runspython -m build+twine check.CI
ci.ymlandrelease.ymlcheckouts usefetch-depth: 0so setuptools-scm can see tags.How releasing works after merge
setuptools-scm stamps the build as exactly
1.0.0and the trusted publisher uploads it to PyPI. (The GitHub Release UI path works too.)Verification (local)
0.1.dev50+g…)v1.0.0→ exactly1.0.0python -m build+twine check→ PASSED for wheel and sdistPrerequisite (already done)
Pending publisher configured on PyPI for
domain-security-analyzer/CallMarcus/domain-security-analyzer/release.yml. A matching TestPyPI publisher (environmenttestpypi) enables the staging path.🤖 Generated with Claude Code
Generated by Claude Code