CI: add job to build wheels and upload them when a release is tagged #312
Conversation
dnicolodi
force-pushed
the
ci-build
branch
2 times, most recently
from
7373ddc to
423c9f3
Compare
|
While it shouldn't be a big issue for this project, I'd prefer if releases were made locally. This reduces targeting the CI as an attack vector, and allows the artifacts to be PGP signed. |
|
Sure, I understand. Can you please tag a 0.13.0.pre1 release as requested in #309 ? |
|
By the way, does PyPI support uploading GPG signed wheels? |
Sure, is it worth to tag now, before #279 is in? I am in the middle of reviewing it, and was hoping to get it in early next week. But we definitely tag a pre-release now, and another one later.
Yep, it doesn't show the signatures in the artifact list, which is fair, but you can download them. I used to also think it didn't, but it does, which is nice. |
|
Maybe just cherry-picking the gh-309 fix and doing a |
|
Yeah, that makes sense. Will do. |
This is nice. But how do you upload the signatures? Does twine take care of it? Does pip verify the signatures? I don't think so. Maybe I should go hunting for some documentation. This feature should maybe be advertised more. |
I was under the impression that not everyone is sold on the implementation of editable wheels in #279. I was asking for another pre-release because it seems some projects need it, but I don't know why scikit-image cannot use meson-python 0.12 |
Yeah. I'm sorry for the stupid regression. To my defense, that PR was reviewed in detail and no one spotted the typo. |
|
Yes, I know - such typos happen and are easy to make and to overlook in review. No worries at all there.
For me it's more that I don't have the time to really wrap my head around that stuff - happy to rely on you and @FFY00 here, if you both agree on the implementation and the use cases are addressed, then I think we'll be in a good place. |
|
My goal was always to shift to a better approach, like the one in #279. I think it's just a matter of if/when we are able to get it to work reliably. |
|
I think #279 works reliably and has extensive tests coverage. However, there may be use cases that I didn't think about and that are not covered by the tests. It would be nice if someone that uses editable wheels on complex projects tries it. |
Yep, you just need to pass the
No, it doesn't have the architecture to verify them in a way that actually makes sense. |
I don't know if we want this. The main goal is to potentially distribute the duty of cutting releases and reduce the bus factor. We may not want to build the wheel and the sdist for pull requests, in that case the action triggers may be changed. The current choice is only to make sure that the action works properly.