Skip to content

ci: add PyPI trusted publishing (abi3 wheels, v0.2.1)#123

Open
abimaelmartell wants to merge 4 commits into
mainfrom
ci-pypi-trusted-publishing
Open

ci: add PyPI trusted publishing (abi3 wheels, v0.2.1)#123
abimaelmartell wants to merge 4 commits into
mainfrom
ci-pypi-trusted-publishing

Conversation

@abimaelmartell

@abimaelmartell abimaelmartell commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

Sets up automated PyPI publishing so pdf-inspector releases stop depending on manual uploads from a personal machine. Same trusted-publishing (OIDC) pattern as our npm and crates.io workflows — no API tokens anywhere.

  • publish-pypi.yml: triggers when the [project] version in pyproject.toml changes on main — same flow as npm publishing keying off napi/package.json. Builds wheels for linux x86_64/aarch64, macOS x86_64/arm64, windows x64 + sdist via maturin, publishes with pypa/gh-action-pypi-publish using OIDC. workflow_dispatch (main-only) is a manual fallback that also repairs partially-uploaded releases via skip-existing.
  • Independent Python version: pyproject.toml now carries its own static version (set to 0.2.1 — PyPI is already at 0.2.0, published outside this repo, so anything ≤0.2.0 would be ignored by pip). Bump it manually to release; the crate version in Cargo.toml is untouched by this PR.
  • abi3 wheels (abi3-py38): one wheel per platform now covers all CPython ≥3.8. The previous manual uploads were cp312-only, so users on 3.10/3.11/3.13 were building from source.

Verification

  • cargo fmt / cargo clippy --features python -- -D warnings / cargo test all pass
  • Built the wheel locally: pdf_inspector-0.2.1-cp38-abi3 (static pyproject version wins over Cargo's 0.1.4), type stubs (pdf_inspector.pyi) included by maturin
  • Installed in a clean venv: tests/test_python.py — 63 passed
  • Extraction no-op confirmed: binaries built from main with and without this change produce byte-identical output on all 41 fixture + eval PDFs

🤖 Generated with Claude Code

Adds publish-pypi.yml mirroring the npm/crates.io pattern: triggers on
Cargo.toml version change, builds wheels for 5 platforms via maturin,
publishes with OIDC trusted publishing (no tokens). workflow_dispatch
serves as a manual fallback for the first run after the PyPI project
transfer.

Enables pyo3 abi3-py38 so one wheel per platform covers CPython >=3.8
(previous manual uploads were cp312-only). Bumps version to 0.2.1 since
PyPI already has 0.2.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 2 files

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread .github/workflows/publish-pypi.yml
Comment thread .github/workflows/publish-pypi.yml
Review feedback: trusted publishing doesn't match on branch, so
workflow_dispatch needed an explicit main-ref guard. Manual dispatch now
always rebuilds and publishes with skip-existing so a release that
failed after uploading only some wheels can be completed by re-running.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@abimaelmartell

Copy link
Copy Markdown
Member Author

Both review findings addressed in 89b20d5:

  1. Branch guard: check-version (which gates all downstream jobs) now requires github.ref == 'refs/heads/main', so a workflow_dispatch from a feature branch can no longer publish unmerged code.
  2. Partial-release repair: manual dispatch now always rebuilds instead of trusting the PyPI version check (which returns 200 even for incomplete releases), and the publish step uses skip-existing: true so a re-run uploads only the missing files.

abimaelmartell and others added 2 commits July 10, 2026 14:05
Decouple the Python package version from the crate version, matching
how npm publishing keys off napi/package.json: bump [project] version
in pyproject.toml manually and CI publishes on merge. Reverts the
Cargo.toml bump so this PR no longer triggers a crates.io release.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant