Proposal to implement continuous integration workflows for quality checks and releases

[EuleMitKeule]

I'd like to propose the implementation of some GitHub actions workflows to automate the following tasks:

Code Quality

This workflow will run our code analysis tools on new pull requests and inform contributors of any formatting or typing related issues as to reduce the number of commits that have to be made regarding this topic.

Release

We could use semantic-release to automate release creation either on pushes/merges to main or on manual invocation of the workflow. semantic-release will then calculate a version from the new commits as long as the commits follow the Conventional Commits format. This format could also optionally be forced using pre-commit along with gitlint.

Publish

The publish workflow will build the package automatically when a new release is created by the release workflow or by hand. The package will then be uploaded to pyPI.

To accomplish these automations @dbuezas will have to create an access token with read and write access to this repository and save it in a repository actions secret. I normally name this variable PAT.

[dbuezas]

Sounds good to me, but I'll need a section on the readme on how to go about things, I'm not familiar with python CIs

[EuleMitKeule]

Sure, I can write some explanations on how the CI works. By the way, I sent you a DM on Discord with the PyPI token I created, so that we can publish the package to PyPI from the CI.

[rytilahti]

Just a side note, instead of hard-coding the token inside the project settings, you could alternatively use trusted publisher setup :-)

[EuleMitKeule]

I actually already added the repo as a trusted publisher, but I'm not sure how this setup interacts with the poetry publish mechanism and therefore decided it would be easier to just use a token. 😄

[rytilahti]

Here's how I have done it in one project using poetry: https://github.com/python-kasa/python-kasa/blob/master/.github/workflows/publish.yml https://github.com/python-kasa/python-kasa/blob/master/pyproject.toml#L84 - as long as the build system is configured properly, it should work just fine on all pep517 build backends.

[EuleMitKeule]

What I mean is I want to use the specific command described here to publish the package and at least the poetry documentation about configuring credentials (found here) does not say anything about using the trusted publisher setup. I probably could just use twine or use the premade action from your workflow, but I just like to integrate as much with poetry as I can. Maybe trusted publishers work with poetry publish though, I'll have to try it out once the changes are merged into main.

Also the repository access token definetely has to be added if we want automatic releases to work.

[rytilahti]

Yeah, looks like poetry doesn't currently support that, so that's why I just used the one documented on pypa's docs on trusted publishing.

Anyway, if you go with the trusted publishers route, it doesn't need any access tokens as the action can then authenticate itself to pypi. That feature was basically developed to avoid hard-coding long-lived tokens to make the process more secure.

[EuleMitKeule]

Okay, you are right, I'll update the workflow later today to remove the token and use twine or the action your using to publish.