You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-6Lines changed: 11 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,8 +63,8 @@ If you package an **application** as a Python package, this action is useful to
63
63
64
64
```yaml
65
65
jobs:
66
-
check-package:
67
-
name: Build & inspect our package.
66
+
build-and-inspect-package:
67
+
name: Build & inspect package.
68
68
runs-on: ubuntu-latest
69
69
70
70
steps:
@@ -76,8 +76,8 @@ To also upload to PyPI:
76
76
77
77
```yaml
78
78
jobs:
79
-
build-package:
80
-
name: Build and inspect package.
79
+
build-and-inspect-package:
80
+
name: Build & inspect package.
81
81
runs-on: ubuntu-latest
82
82
83
83
steps:
@@ -86,8 +86,8 @@ jobs:
86
86
87
87
88
88
upload-to-pypi:
89
-
name: Upload prebuilt package to PyPI
90
-
needs: build-package
89
+
name: Upload package to PyPI
90
+
needs: build-and-inspect-package
91
91
runs-on: ubuntu-latest
92
92
permissions:
93
93
# IMPORTANT: this permission is mandatory for trusted publishing, but
@@ -103,6 +103,11 @@ jobs:
103
103
- uses: pypa/gh-action-pypi-publish@release/v1
104
104
```
105
105
106
+
> [!IMPORTANT]
107
+
> For security reasons, keep the job that has the `id-token: write` permission as short as possible.
108
+
109
+
---
110
+
106
111
If you’re using a VCS tag-based version extractor like [*setuptools-scm*] and need the built package to have the correct version, you must use *actions/checkout* with `fetch-depth: 0` – unless the latest commit _is_ the version tag.
0 commit comments