create PyPI API token and encrypt "secret" for Github organization

[anthrotype]

I just finished setting up Github Actions so that it builds the wheels for mac, linux and windows using cibuildwheel. So far so good.

Now I tried to also set up automatic deployment to PyPI on tags, however I stumbled on a permissions obstacle and need help from one of the admins of the "adobe-type-tools" Github organization.

Basically, we need an authentication token for PyPI, and then we need to encrypt the latter using Github "secret variables". However, since this repository is not a normal user repository but is part of a Github organzation, these secrets are administered by the organization's admins, and I don't have access to those settings as an external collaborator.

So we need two things:

1. create PyPI API token for the cffsubr project follow the instructions at https://pypi.org/help/ (search "use API tokens to authenticate with PyPI").

2. encrypt the generated token as an organziation secret following instructions at https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-an-organization

You should name the encrypted secret pypi_password so that it will be automatically recognized by my GH actions setup:

cffsubr/.github/workflows/build_wheels.yml

Line 63 in 35db3b2

password: ${{ secrets.pypi_password }}

Thank you!

[josh-hadley]

Hmm, I think this can be accomplished with a regular PyPI token scoped to this project, and stored as a repo-level secret (not org-level). I have done exactly that and published to PyPI with GitHub Actions on the pyots project.

I just added a repo-level pypi_password secret for this repo, so we can try publishing and see if it works as expected. If not we can investigate the org-level secret if needed.

[anthrotype]

ok thank you, I will try now to push a tag and see if that works

[anthrotype]

btw, I didn't know about pyots, cool :)

[josh-hadley]

It partly worked: https://github.com/adobe-type-tools/cffsubr/runs/693818612

But you are hitting the same problem I did in pyots: pypa/gh-action-pypi-publish is only supported under Linux. I ended up building the wheels in each of the individual platforms and attaching the assets for release, then a separate job that retrieves the assets and does the PyPI publishing step.

[anthrotype]

btw, it worked! only that the action from pypa that I used to publish the wheels only supports linux for some reasons.. I'll just switch to calling twine manually myself, no big deal.

[anthrotype]

I just used twine and it works now
bf4fe88

[anthrotype]

almost.. the second windows build failed because setuptools_scm thinks the repository is "dirty" and thus doesn't assign a final version string and PyPI rejects the upload.
I have to check if I can somehow do a git clean in between builds or something..

[anthrotype]

@josh-hadley I don't have a windows machine to test this locally, but I have a hunch that the afdko's .gitignore may be missing some byproducts of the build process for Windows, hence the afdko repository (included here as a git submodule) may end up being in a "dirty" state after cibuildwheel completes the first build (for 32 bit windows); then the subsequent build for 64-bit fails with the error from PyPI about local versions not being allowed.

Could somebody try to run python setup.py build or pip wheel -v . on windows and see if after that git status reports any untracked or modified files?

[anthrotype]

weird.. after I added a git clean command just before each build, it's working now. This seems to confirm my hyphothesis that the afdko .gitignore is leaving behind some dirty files. I recommend that you take a look at that at some point. Closing this for now

[josh-hadley]

OK thanks, yeah this sounds familiar, I think Miguel had some headaches related to this a while ago on one of the AFDKO CIs.