Automate maintenance

[papr]

TLDR: Automates maintenance/deployment by automatically bumping project versions on PR merges and publishing the version-bumped source distribution to PyPI. Requires a one-time setup before merging.

This is a bigger one. Details can be found in the new MAINTENANCE.md file.

This PR splits the previous testing+deployment Github Action into:

1. Testing on push or pull request
2. Deployment on PyPI (with opt-out version bumps)

Things to setup once before merging:

• PyPI authentification
  • PYPI_TOKEN repository secret (maybe @minrk or @ellisonbg could help out with this one, as they are listed as maintainers on https://pypi.org/project/pyzmq/)
• labels - Can be set up later, too. New PRs without bump:* labels bump the patch part by default
  • bump:none
  • bump:major
  • bump:minor
  • bump:patch

I tested this PR thoroughly on my own repository.

[keent]

Pinging @minrk or @ellisonbg. If you could add me as a maintainer in https://pypi.org/project/pyzmq/ I could do it for ya. My email is granvillelintao at gmail

[papr]

@keent I thought there might be zeromq-organisation-level pypi account, but I just realised, they just created a personal PyPI account. You do not need to be a maintainer for https://pypi.org/project/pyzmq/ to generate API tokes for zeromq-pyre.

[papr]

@keent is there anything else I can do to ease the setup of the necessary changes? I have an other project that depends on pyre, and I would like to publish it on PyPI. Unfortunately, I cannot do so, until pyre is available there, too. Direct dependencies are not allowed on PyPI.

[keent]

@papr ok you want me to upload pyre to pypi. what else do I need to do to help out?

[papr]

Hi, these are the steps for the setup:

1. Create a PyPI account: https://pypi.org/account/register/
2. Create a new PyPI token: https://pypi.org/manage/account/token/
3. Create a new repository secret https://github.com/zeromq/pyre/settings/secrets/actions/new
   1. Name it PYPI_TOKEN
   2. Copy and paste the token from step 2

[keent]

pinging @sphaero. do you have access on the settings page? It seems like I don't. We want to add the pypi token.
https://github.com/zeromq/pyre/settings/secrets/actions/new

It would be great for PyPI automation

[sphaero]

how about now?

[keent]

@sphaero Thanks. Now I can see the settings page. But not the more specific 'secrets' tab on it.

[papr]

One needs admin rights to access the secrets settings. @sphaero Feel free to perform the setup steps (#155 (comment)) by yourself if you are not comfortable with giving admin privileges to someone else.

[sphaero]

I'm not sure what the policy is here. I have to talk to some of the core zeromq members @bluca @somdoron @sappo . I've created a PYPI_TOKEN on my pypi account. Does that help for now?

[bluca]

Never set up pypi before, but if you need me to paste tokens somewhere, you can email it to me gpg encrypted, my public key is on https://keys.openpgp.org/ and also pasted here https://github.com/zeromq/libzmq/security/policy

[keent]

@bluca sent you the token vie encrypted email. my gmail is also on this page and also available at https://keys.openpgp.org/.
thanks.
Kindly do this last step:
3.
Create a new repository secret https://github.com/zeromq/pyre/settings/secrets/actions/new
Name it PYPI_TOKEN
Copy and paste the token from step 2

[bluca]

@keent done!

[keent]

It failed at https://github.com/zeromq/pyre/runs/2823212481?check_suite_focus=true Bump Version

remote: Permission to zeromq/pyre.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/zeromq/pyre.git/': The requested URL returned error: 403

Let me know

[papr]

Looks like the GITHUB_TOKEN only has read-access when triggered from a forked repository.

@keent you should be able to re-trigger the workflow manually from https://github.com/zeromq/pyre/actions/workflows/deploy.yml Since it is a manual within-repo action, the token should get write access.

I will look for a long-term solution to avoid the need of manual deployments.

Edit: Long-term solution requires setting up a personal access token and saving it as an additional repository secret. Source

[keent]

@papr it still fails with the same error. do we need to configure anything here: https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository

[papr]

Possible. I thought write-permissions were the default. At least, they were in my repo when I tested the workflow. :-/ It indeed looks like the token could have read-access only. Do you have enough access to change these settings?

[keent]

I don't have access. @bluca Can you please help changing the github token access to both write and read. Example: https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository

We need it for the deployment. Thanks

[bluca]

done

[papr]

@bluca @keent Do you want me to make a PR that uses a personal access token (PAT) instead of the GITHUB_TOKEN? Currently, deployment would still require manually triggering the workflow. The PAT would allow automatic deployment on merge.

[keent]

@papr it works now. https://pypi.org/project/zeromq-pyre/. well done. thanks
that could be the great next step, to fully automate

[keent]

I could still help with manual deployment. Just let me know