Skip to content

Tag-driven versioning and PyPI release automation (#14)#20

Merged
CallMarcus merged 3 commits into
mainfrom
claude/issues-status-review-ll7hil
Jun 22, 2026
Merged

Tag-driven versioning and PyPI release automation (#14)#20
CallMarcus merged 3 commits into
mainfrom
claude/issues-status-review-ll7hil

Conversation

@CallMarcus

Copy link
Copy Markdown
Owner

Summary

Makes the git tag the single source of truth for the version (via setuptools-scm) and wires up automated PyPI publishing through Trusted Publishing (OIDC). Completes the release tooling for #14 — no hardcoded version strings, no stored API tokens.

What changed

Versioning (setuptools-scm)

  • pyproject.toml: switched to setuptools-scm ([tool.setuptools_scm] writes domain_security_analyzer/_version.py); removed the static [tool.setuptools.dynamic] attr.
  • __version__.py: resolves the version at runtime from installed package metadata, falling back to the generated _version.py in a source tree.
  • Bumped requires-python to >=3.8 (3.7 is EOL; importlib.metadata is stdlib from 3.8) and refreshed classifiers (drop 3.7, add 3.12).
  • .gitignores the generated _version.py.

Release automation (.github/workflows/release.yml)

  • Publishes to PyPI via pypa/gh-action-pypi-publish with Trusted Publishing (OIDC) — no tokens in GitHub.
  • Triggers:
    • Push a v* tag → build + publish to PyPI
    • Publish a GitHub Release → build + publish to PyPI
    • Manual dispatch → publish to TestPyPI (staging)
  • A separate build job runs python -m build + twine check.

CI

  • ci.yml and release.yml checkouts use fetch-depth: 0 so setuptools-scm can see tags.

How releasing works after merge

git tag v1.0.0
git push origin v1.0.0

setuptools-scm stamps the build as exactly 1.0.0 and the trusted publisher uploads it to PyPI. (The GitHub Release UI path works too.)

Verification (local)

  • Untagged build → dev version (e.g. 0.1.dev50+g…)
  • Clean checkout of tag v1.0.0exactly 1.0.0
  • python -m build + twine check → PASSED for wheel and sdist
  • Full test suite (23 tests) → passing

Prerequisite (already done)

Pending publisher configured on PyPI for domain-security-analyzer / CallMarcus/domain-security-analyzer / release.yml. A matching TestPyPI publisher (environment testpypi) enables the staging path.

🤖 Generated with Claude Code


Generated by Claude Code

claude added 3 commits June 21, 2026 17:05
Add .github/workflows/release.yml that builds and publishes the package
using PyPI Trusted Publishing (OIDC), so no API tokens are stored in GitHub:

- build job: `python -m build` + `twine check`, uploads dist artifacts.
- publish-pypi: runs on a published GitHub Release -> uploads to PyPI
  (environment: pypi).
- publish-testpypi: runs on manual dispatch -> uploads to TestPyPI for
  staging (environment: testpypi).

Requires a one-time "pending publisher" configured on PyPI/TestPyPI; setup
steps are documented in the workflow header.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
Make the git tag the single source of truth for the package version, so
releasing no longer requires editing a hardcoded version string:

- pyproject.toml: switch to setuptools-scm (build-system requires +
  [tool.setuptools_scm] writing domain_security_analyzer/_version.py);
  drop the static [tool.setuptools.dynamic] attr.
- __version__.py: resolve the version at runtime from installed package
  metadata, falling back to the setuptools-scm _version.py in a source tree.
- Bump requires-python to >=3.8 (3.7 is EOL; importlib.metadata is stdlib
  from 3.8) and refresh classifiers (drop 3.7, add 3.12).
- CI/release: checkout with fetch-depth: 0 so setuptools-scm sees tags.
- gitignore the generated _version.py.

A clean checkout of tag `vX.Y.Z` now builds exactly version `X.Y.Z`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
Add a `push: tags: ['v*']` trigger to release.yml so a tag push publishes to
PyPI directly (no GitHub Release required): `git tag v1.2.3 && git push origin
v1.2.3`. The publish-pypi job now runs on either a tag push or a published
GitHub Release; manual dispatch still targets TestPyPI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
@CallMarcus
CallMarcus merged commit e0610c9 into main Jun 22, 2026
17 checks passed
@CallMarcus
CallMarcus deleted the claude/issues-status-review-ll7hil branch June 22, 2026 17:00
@CallMarcus CallMarcus mentioned this pull request Jun 22, 2026
41 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants