From 05a8a4fab46f29ab48ab1cc0f844f048d612f688 Mon Sep 17 00:00:00 2001 From: Daniel Carl Jones Date: Thu, 25 Jun 2026 15:07:44 +0100 Subject: [PATCH 1/3] fix: update release workflow to publish to PyPI in the same workflow instead of workflow call --- .github/workflows/publish.yml | 33 +++++++++++++++++++++++++--- .github/workflows/release_python.yml | 3 +++ 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d9e91b3e0e..6bfe216185 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -61,14 +61,41 @@ jobs: env: CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - # Trigger Python release after crate publishing completes. + # Trigger Python packaging after crate publishing completes. # Only runs for tag pushes; for manual Python releases, use workflow_dispatch on release_python.yml directly. - release-python: + package-python: needs: [publish] if: ${{ startsWith(github.ref, 'refs/tags/') }} permissions: contents: read - id-token: write # Required for PyPI trusted publishing in the called workflow uses: ./.github/workflows/release_python.yml with: release_tag: ${{ github.ref_name }} + + # Publish Python wheels to PyPI using trusted publishing. + # This must be a top-level job (not inside a reusable workflow) so that the + # OIDC token's workflow ref matches the trusted publisher configured on PyPI. + # See: https://github.com/pypi/warehouse/issues/11096 + pypi-publish: + name: Publish Python 🐍 distribution 📦 to PyPI + needs: [package-python] + if: ${{ startsWith(github.ref, 'refs/tags/') }} + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/pyiceberg-core + permissions: + id-token: write # Allows trusted publishing authentication with PyPI + steps: + - name: Download all the dists + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + pattern: wheels-* + merge-multiple: true + path: bindings/python/dist + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + with: + skip-existing: true + packages-dir: bindings/python/dist + verbose: true diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 3583114588..bda27322a8 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -209,6 +209,9 @@ jobs: pypi-publish: name: Publish Python 🐍 distribution 📦 to Pypi needs: [sdist, wheels] + # PyPI publish must always be in the top-level workflow + # The calling workflow must instead implement publishing in its own workflow definition + if: ${{ github.event_name == 'workflow_dispatch' }} runs-on: ubuntu-latest environment: From e7b0c0ead79e87c835dc335633fb70cf8cc69c02 Mon Sep 17 00:00:00 2001 From: Daniel Carl Jones Date: Thu, 2 Jul 2026 11:31:19 +0100 Subject: [PATCH 2/3] Update PyPI workflow to build and publish independently of crates workflow --- .github/workflows/publish.yml | 39 ---------------------------- .github/workflows/release_python.yml | 22 +++++++++------- 2 files changed, 12 insertions(+), 49 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e6f6d38cfc..f03820d08d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -60,42 +60,3 @@ jobs: shell: bash env: CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - - # Trigger Python packaging after crate publishing completes. - # Only runs for tag pushes; for manual Python releases, use workflow_dispatch on release_python.yml directly. - package-python: - needs: [publish] - if: ${{ startsWith(github.ref, 'refs/tags/') }} - permissions: - contents: read - uses: ./.github/workflows/release_python.yml - with: - release_tag: ${{ github.ref_name }} - - # Publish Python wheels to PyPI using trusted publishing. - # This must be a top-level job (not inside a reusable workflow) so that the - # OIDC token's workflow ref matches the trusted publisher configured on PyPI. - # See: https://github.com/pypi/warehouse/issues/11096 - pypi-publish: - name: Publish Python 🐍 distribution 📦 to PyPI - needs: [package-python] - if: ${{ startsWith(github.ref, 'refs/tags/') }} - runs-on: ubuntu-latest - environment: - name: pypi - url: https://pypi.org/p/pyiceberg-core - permissions: - id-token: write # Allows trusted publishing authentication with PyPI - steps: - - name: Download all the dists - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - pattern: wheels-* - merge-multiple: true - path: bindings/python/dist - - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - with: - skip-existing: true - packages-dir: bindings/python/dist - verbose: true diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 6bda2d8d67..3bbbd47632 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -18,12 +18,14 @@ name: Publish Python 🐍 distribution 📦 to PyPI on: - workflow_call: - inputs: - release_tag: - description: 'Release tag (e.g., v0.4.0 or v0.4.0-rc.1)' - required: true - type: string + # Given PyPI doesn't support workflow reuse, + # this workflow independently releases PyPI artifacts rather than being called by the crates release workflow. + push: + tags: + # Trigger this workflow when tag follows the versioning format: v.. OR v..-rc. + # Example valid tags: v0.4.0, v0.4.0-rc.1 + - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+" workflow_dispatch: inputs: release_tag: @@ -209,9 +211,6 @@ jobs: pypi-publish: name: Publish Python 🐍 distribution 📦 to Pypi needs: [sdist, wheels] - # PyPI publish must always be in the top-level workflow - # The calling workflow must instead implement publishing in its own workflow definition - if: ${{ github.event_name == 'workflow_dispatch' }} runs-on: ubuntu-latest environment: @@ -228,9 +227,12 @@ jobs: pattern: wheels-* merge-multiple: true path: bindings/python/dist + + # Note: PyPI publish must always be in the top-level workflow + # Workflow reuse is not supported by PyPI: https://github.com/pypi/warehouse/issues/11096 - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: - skip-existing: true + skip-existing: false packages-dir: bindings/python/dist verbose: true From 4b7a1f1a41ad53327358f21bca02338a159d09e6 Mon Sep 17 00:00:00 2001 From: Daniel Carl Jones Date: Thu, 2 Jul 2026 11:43:56 +0100 Subject: [PATCH 3/3] Disable cache for PyPI releases --- .github/workflows/release_python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 3bbbd47632..fc348a5350 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -192,7 +192,7 @@ jobs: - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: version: "0.9.3" - enable-cache: true + enable-cache: false # Do not use cache for release artifacts # Verify the wheel is abi3-compatible and installable without building from source. # Skipped for cross-compiled targets since they share the same maturin config; # if abi3 is broken, the native target build will catch it.