From a419d40e092a175bf551c7b4922b578fd2f4b876 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 16:53:20 +0300 Subject: [PATCH 01/23] CI: add Trusted Publishing job to wheels workflow (#61669) --- .github/workflows/publish.yml | 26 ++++++++++++++++++++++++ .github/workflows/wheels.yml | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000000000..34aa09ec5ee24 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,26 @@ +name: Release – upload to TestPyPI with Trusted Publishing + +on: + push: + tags: ["v*"] # fires only on tag pushes + workflow_dispatch: + +jobs: + publish: + runs-on: ubuntu-latest + environment: + name: testpypi + permissions: + id-token: write + contents: read + + steps: + - uses: actions/download-artifact@v4 + with: + name: dist + path: dist + + - name: Publish to TestPyPI (Trusted Publishing) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 4de7aec4f551a..e9c0de7d38f97 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -219,3 +219,40 @@ jobs: source ci/upload_wheels.sh set_upload_vars upload_wheels + +# --------------------------------------------------------------- +# PUBLISH – upload all wheels & sdist to Test PyPI via OIDC +# --------------------------------------------------------------- + publish: + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') + needs: + - build_sdist + - build_wheels + runs-on: ubuntu-latest + + environment: + name: testpypi # ← keep for dry-run; change to pypi before PR + permissions: + id-token: write # OIDC token for Trusted Publishing + contents: read + + steps: + # 1. Pull every artifact produced by the two upstream jobs + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: dist # all files land in ./dist/** + + # 2. Move wheels & sdist into a flat 'upload' dir (action expects that) + - name: Collect files + run: | + mkdir -p upload + find dist -name '*.whl' -exec mv {} upload/ \; + find dist -name '*.tar.gz' -exec mv {} upload/ \; + + # 3. Publish to **Test PyPI** using Trusted Publishing + - name: Publish to TestPyPI (Trusted Publishing) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + packages-dir: upload From abda427fcd41a071302347a1e8678befa953e0d4 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 16:56:35 +0300 Subject: [PATCH 02/23] Remove obsolete standalone publish workflow --- .github/workflows/publish.yml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 34aa09ec5ee24..0000000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Release – upload to TestPyPI with Trusted Publishing - -on: - push: - tags: ["v*"] # fires only on tag pushes - workflow_dispatch: - -jobs: - publish: - runs-on: ubuntu-latest - environment: - name: testpypi - permissions: - id-token: write - contents: read - - steps: - - uses: actions/download-artifact@v4 - with: - name: dist - path: dist - - - name: Publish to TestPyPI (Trusted Publishing) - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://test.pypi.org/legacy/ From 6e9027c72491912102b2589c033ecca3e1fe59d1 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 18:04:07 +0300 Subject: [PATCH 03/23] CI: fix wheel-workflow YAML, drop win-arm64 --- .github/workflows/wheels.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index e9c0de7d38f97..7a65f06935257 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -100,7 +100,7 @@ jobs: # Note: M1 images on Github Actions start from macOS 14 - [macos-14, macosx_arm64] - [windows-2022, win_amd64] - - [windows-11-arm, win_arm64] + # - [windows-11-arm, win_arm64] # TODO: support PyPy? python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] include: @@ -110,12 +110,12 @@ jobs: - buildplat: [ubuntu-24.04, pyodide_wasm32] python: ["cp312", "3.12"] cibw_build_frontend: 'build' - exclude: - - buildplat: [windows-11-arm, win_arm64] - python: ["cp310", "3.10"] - # BackendUnavailable: Cannot import 'mesonpy' - - buildplat: [windows-11-arm, win_arm64] - python: ["cp313t", "3.13"] + # exclude: + # - buildplat: [windows-11-arm, win_arm64] + # python: ["cp310", "3.10"] + # # BackendUnavailable: Cannot import 'mesonpy' + # - buildplat: [windows-11-arm, win_arm64] + # python: ["cp313t", "3.13"] env: IS_PUSH: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} @@ -126,11 +126,11 @@ jobs: with: fetch-depth: 0 - - name: Set up MSVC environment for ARM64 - if: matrix.buildplat[1] == 'win_arm64' - uses: ilammy/msvc-dev-cmd@v1 - with: - arch: arm64 + # - name: Set up MSVC environment for ARM64 + # if: matrix.buildplat[1] == 'win_arm64' + # uses: ilammy/msvc-dev-cmd@v1 + # with: + # arch: arm64 # TODO: Build wheels from sdist again # There's some sort of weird race condition? @@ -170,7 +170,7 @@ jobs: CIBW_BUILD: ${{ matrix.python[0] }}-${{ matrix.buildplat[1] }} CIBW_BUILD_FRONTEND: ${{ matrix.cibw_build_frontend || 'pip' }} CIBW_PLATFORM: ${{ (matrix.buildplat[1] == 'pyodide_wasm32' && 'pyodide') || (matrix.buildplat[1] == 'win_arm64' && 'windows') || 'auto' }} - CIBW_ARCHS: ${{ matrix.buildplat[1] == 'win_arm64' && 'ARM64' || 'auto' }} + # CIBW_ARCHS: ${{ matrix.buildplat[1] == 'win_arm64' && 'ARM64' || 'auto' }} CIBW_BEFORE_BUILD_WINDOWS: 'python -m pip install delvewheel' - name: Set up Python for validation/upload (non-ARM64 Windows & other OS) @@ -188,11 +188,11 @@ jobs: cache-downloads: true cache-environment: true - - name: Install wheel for win_arm64 - # installing wheel here because micromamba step was skipped - if: matrix.buildplat[1] == 'win_arm64' - shell: bash -el {0} - run: python -m pip install wheel + # - name: Install wheel for win_arm64 + # # installing wheel here because micromamba step was skipped + # if: matrix.buildplat[1] == 'win_arm64' + # shell: bash -el {0} + # run: python -m pip install wheel - name: Validate wheel RECORD shell: bash -el {0} From e3e583d8a6af4265e8b09ff158a33fa09216a5f7 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 19:55:25 +0300 Subject: [PATCH 04/23] CI: set project name to evgmosme-pandas for TestPyPI --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index b17a1eacfa717..8ec45c0ee3346 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -15,7 +15,7 @@ requires = [ build-backend = "mesonpy" [project] -name = 'pandas' +name = 'evgmosme-pandas' dynamic = [ 'version' ] From 9f9013e515ef5e4ee4e134b95b500c66e562442c Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 22:30:55 +0300 Subject: [PATCH 05/23] CI: temporarily shrink workflow matrix and add --- .github/workflows/wheels.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 7a65f06935257..6785201e49cae 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -93,16 +93,17 @@ jobs: # https://github.com/github/feedback/discussions/7835#discussioncomment-1769026 buildplat: - [ubuntu-24.04, manylinux_x86_64] - - [ubuntu-24.04, musllinux_x86_64] - - [ubuntu-24.04-arm, manylinux_aarch64] - - [ubuntu-24.04-arm, musllinux_aarch64] - - [macos-13, macosx_x86_64] - # Note: M1 images on Github Actions start from macOS 14 - - [macos-14, macosx_arm64] - - [windows-2022, win_amd64] + # - [ubuntu-24.04, musllinux_x86_64] + # - [ubuntu-24.04-arm, manylinux_aarch64] + # - [ubuntu-24.04-arm, musllinux_aarch64] + # - [macos-13, macosx_x86_64] + # # Note: M1 images on Github Actions start from macOS 14 + # - [macos-14, macosx_arm64] + # - [windows-2022, win_amd64] # - [windows-11-arm, win_arm64] # TODO: support PyPy? - python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] + # python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] + python: [["cp312", "3.12"]] include: # Build Pyodide wheels and upload them to Anaconda.org # NOTE: this job is similar to the one in unit-tests.yml except for the fact @@ -256,3 +257,4 @@ jobs: with: repository-url: https://test.pypi.org/legacy/ packages-dir: upload + skip-existing: true From 4e4cc1e6677fba8ab7a1bf48e76e8c8bf6524880 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 22:58:31 +0300 Subject: [PATCH 06/23] CI: skip pyodide wheel on TestPyPI upload --- .github/workflows/wheels.yml | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 6785201e49cae..37b1104d2bd9f 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -231,8 +231,13 @@ jobs: - build_wheels runs-on: ubuntu-latest + # ---------- current TEST settings ---------- environment: - name: testpypi # ← keep for dry-run; change to pypi before PR + name: testpypi # keep while testing + # ---------- FINAL settings (uncomment) ---------- + # environment: + # name: pypi # ← enable for PyPI + permissions: id-token: write # OIDC token for Trusted Publishing contents: read @@ -244,17 +249,26 @@ jobs: with: path: dist # all files land in ./dist/** - # 2. Move wheels & sdist into a flat 'upload' dir (action expects that) + # 2. Move wheels & sdist into a flat 'upload' dir (skip Pyodide wheels) - name: Collect files run: | mkdir -p upload - find dist -name '*.whl' -exec mv {} upload/ \; + # skip anything containing 'pyodide' in the filename + find dist -name '*pyodide*.whl' -prune -o \ + -name '*.whl' -exec mv {} upload/ \; find dist -name '*.tar.gz' -exec mv {} upload/ \; - # 3. Publish to **Test PyPI** using Trusted Publishing + # 3. Publish to TestPyPI using Trusted Publishing - name: Publish to TestPyPI (Trusted Publishing) uses: pypa/gh-action-pypi-publish@release/v1 with: - repository-url: https://test.pypi.org/legacy/ + repository-url: https://test.pypi.org/legacy/ # test endpoint packages-dir: upload skip-existing: true + + # ---------- FINAL publish block (uncomment, remove test one above) ---------- + # - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI + # uses: pypa/gh-action-pypi-publish@release/v1 + # with: + # repository-url: https://upload.pypi.org/legacy/ # ← production endpoint + # packages-dir: upload From d311ce4cad9827c1483aac999d7d884b9f62ba23 Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 23:33:32 +0300 Subject: [PATCH 07/23] Restore original wheels.yml from upstream/main --- .github/workflows/wheels.yml | 105 +++++++++-------------------------- 1 file changed, 26 insertions(+), 79 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 37b1104d2bd9f..4de7aec4f551a 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -93,17 +93,16 @@ jobs: # https://github.com/github/feedback/discussions/7835#discussioncomment-1769026 buildplat: - [ubuntu-24.04, manylinux_x86_64] - # - [ubuntu-24.04, musllinux_x86_64] - # - [ubuntu-24.04-arm, manylinux_aarch64] - # - [ubuntu-24.04-arm, musllinux_aarch64] - # - [macos-13, macosx_x86_64] - # # Note: M1 images on Github Actions start from macOS 14 - # - [macos-14, macosx_arm64] - # - [windows-2022, win_amd64] - # - [windows-11-arm, win_arm64] + - [ubuntu-24.04, musllinux_x86_64] + - [ubuntu-24.04-arm, manylinux_aarch64] + - [ubuntu-24.04-arm, musllinux_aarch64] + - [macos-13, macosx_x86_64] + # Note: M1 images on Github Actions start from macOS 14 + - [macos-14, macosx_arm64] + - [windows-2022, win_amd64] + - [windows-11-arm, win_arm64] # TODO: support PyPy? - # python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] - python: [["cp312", "3.12"]] + python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] include: # Build Pyodide wheels and upload them to Anaconda.org # NOTE: this job is similar to the one in unit-tests.yml except for the fact @@ -111,12 +110,12 @@ jobs: - buildplat: [ubuntu-24.04, pyodide_wasm32] python: ["cp312", "3.12"] cibw_build_frontend: 'build' - # exclude: - # - buildplat: [windows-11-arm, win_arm64] - # python: ["cp310", "3.10"] - # # BackendUnavailable: Cannot import 'mesonpy' - # - buildplat: [windows-11-arm, win_arm64] - # python: ["cp313t", "3.13"] + exclude: + - buildplat: [windows-11-arm, win_arm64] + python: ["cp310", "3.10"] + # BackendUnavailable: Cannot import 'mesonpy' + - buildplat: [windows-11-arm, win_arm64] + python: ["cp313t", "3.13"] env: IS_PUSH: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} @@ -127,11 +126,11 @@ jobs: with: fetch-depth: 0 - # - name: Set up MSVC environment for ARM64 - # if: matrix.buildplat[1] == 'win_arm64' - # uses: ilammy/msvc-dev-cmd@v1 - # with: - # arch: arm64 + - name: Set up MSVC environment for ARM64 + if: matrix.buildplat[1] == 'win_arm64' + uses: ilammy/msvc-dev-cmd@v1 + with: + arch: arm64 # TODO: Build wheels from sdist again # There's some sort of weird race condition? @@ -171,7 +170,7 @@ jobs: CIBW_BUILD: ${{ matrix.python[0] }}-${{ matrix.buildplat[1] }} CIBW_BUILD_FRONTEND: ${{ matrix.cibw_build_frontend || 'pip' }} CIBW_PLATFORM: ${{ (matrix.buildplat[1] == 'pyodide_wasm32' && 'pyodide') || (matrix.buildplat[1] == 'win_arm64' && 'windows') || 'auto' }} - # CIBW_ARCHS: ${{ matrix.buildplat[1] == 'win_arm64' && 'ARM64' || 'auto' }} + CIBW_ARCHS: ${{ matrix.buildplat[1] == 'win_arm64' && 'ARM64' || 'auto' }} CIBW_BEFORE_BUILD_WINDOWS: 'python -m pip install delvewheel' - name: Set up Python for validation/upload (non-ARM64 Windows & other OS) @@ -189,11 +188,11 @@ jobs: cache-downloads: true cache-environment: true - # - name: Install wheel for win_arm64 - # # installing wheel here because micromamba step was skipped - # if: matrix.buildplat[1] == 'win_arm64' - # shell: bash -el {0} - # run: python -m pip install wheel + - name: Install wheel for win_arm64 + # installing wheel here because micromamba step was skipped + if: matrix.buildplat[1] == 'win_arm64' + shell: bash -el {0} + run: python -m pip install wheel - name: Validate wheel RECORD shell: bash -el {0} @@ -220,55 +219,3 @@ jobs: source ci/upload_wheels.sh set_upload_vars upload_wheels - -# --------------------------------------------------------------- -# PUBLISH – upload all wheels & sdist to Test PyPI via OIDC -# --------------------------------------------------------------- - publish: - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') - needs: - - build_sdist - - build_wheels - runs-on: ubuntu-latest - - # ---------- current TEST settings ---------- - environment: - name: testpypi # keep while testing - # ---------- FINAL settings (uncomment) ---------- - # environment: - # name: pypi # ← enable for PyPI - - permissions: - id-token: write # OIDC token for Trusted Publishing - contents: read - - steps: - # 1. Pull every artifact produced by the two upstream jobs - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: dist # all files land in ./dist/** - - # 2. Move wheels & sdist into a flat 'upload' dir (skip Pyodide wheels) - - name: Collect files - run: | - mkdir -p upload - # skip anything containing 'pyodide' in the filename - find dist -name '*pyodide*.whl' -prune -o \ - -name '*.whl' -exec mv {} upload/ \; - find dist -name '*.tar.gz' -exec mv {} upload/ \; - - # 3. Publish to TestPyPI using Trusted Publishing - - name: Publish to TestPyPI (Trusted Publishing) - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://test.pypi.org/legacy/ # test endpoint - packages-dir: upload - skip-existing: true - - # ---------- FINAL publish block (uncomment, remove test one above) ---------- - # - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI - # uses: pypa/gh-action-pypi-publish@release/v1 - # with: - # repository-url: https://upload.pypi.org/legacy/ # ← production endpoint - # packages-dir: upload From 63609002965aea770d4e4580326f57ba014e2efd Mon Sep 17 00:00:00 2001 From: evgenii Date: Thu, 26 Jun 2025 23:42:32 +0300 Subject: [PATCH 08/23] CI: skip win_arm64 for tests, add final publish block --- .github/workflows/wheels.yml | 65 ++++++++++++++++++++++++++++++++---- 1 file changed, 58 insertions(+), 7 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 4de7aec4f551a..6b3ef098edbe1 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -100,7 +100,7 @@ jobs: # Note: M1 images on Github Actions start from macOS 14 - [macos-14, macosx_arm64] - [windows-2022, win_amd64] - - [windows-11-arm, win_arm64] + # - [windows-11-arm, win_arm64] # TODO: support PyPy? python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] include: @@ -110,12 +110,13 @@ jobs: - buildplat: [ubuntu-24.04, pyodide_wasm32] python: ["cp312", "3.12"] cibw_build_frontend: 'build' - exclude: - - buildplat: [windows-11-arm, win_arm64] - python: ["cp310", "3.10"] - # BackendUnavailable: Cannot import 'mesonpy' - - buildplat: [windows-11-arm, win_arm64] - python: ["cp313t", "3.13"] + # TEMP: exclude block no longer needed when win_arm64 is commented + # exclude: + # - buildplat: [windows-11-arm, win_arm64] + # python: ["cp310", "3.10"] + # # BackendUnavailable: Cannot import 'mesonpy' + # - buildplat: [windows-11-arm, win_arm64] + # python: ["cp313t", "3.13"] env: IS_PUSH: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} @@ -219,3 +220,53 @@ jobs: source ci/upload_wheels.sh set_upload_vars upload_wheels + + publish: + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') + needs: + - build_sdist + - build_wheels + runs-on: ubuntu-latest + + # ---------- current TEST settings ---------- + environment: + name: testpypi # keep while testing + # ---------- FINAL settings (uncomment) ---------- + # environment: + # name: pypi # ← enable for PyPI + + permissions: + id-token: write # OIDC token for Trusted Publishing + contents: read + + steps: + # 1. Pull every artifact produced by the two upstream jobs + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: dist # all files land in ./dist/** + + # 2. Move wheels & sdist into a flat 'upload' dir (skip Pyodide wheels) + - name: Collect files + run: | + mkdir -p upload + # skip anything containing 'pyodide' in the filename + find dist -name '*pyodide*.whl' -prune -o \ + -name '*.whl' -exec mv {} upload/ \; + find dist -name '*.tar.gz' -exec mv {} upload/ \; + + # 3. Publish to TestPyPI using Trusted Publishing + - name: Publish to TestPyPI (Trusted Publishing) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ # test endpoint + packages-dir: upload + skip-existing: true + + # ---------- FINAL publish block (uncomment, remove test one above) ---------- + # - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI + # uses: pypa/gh-action-pypi-publish@release/v1 + # with: + # repository-url: https://upload.pypi.org/legacy/ # ← production endpoint + # packages-dir: upload + # # skip-existing: true # ← remove for production From c15c17684156bef9d6c6f8aa11a24892a9d5ce1c Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 00:38:26 +0300 Subject: [PATCH 09/23] CI: final Trusted-Publishing workflow (PyPI ready) --- .github/workflows/wheels.yml | 38 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 6b3ef098edbe1..30e970eabadc4 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -100,7 +100,7 @@ jobs: # Note: M1 images on Github Actions start from macOS 14 - [macos-14, macosx_arm64] - [windows-2022, win_amd64] - # - [windows-11-arm, win_arm64] + - [windows-11-arm, win_arm64] # TODO: support PyPy? python: [["cp310", "3.10"], ["cp311", "3.11"], ["cp312", "3.12"], ["cp313", "3.13"], ["cp313t", "3.13"]] include: @@ -110,13 +110,12 @@ jobs: - buildplat: [ubuntu-24.04, pyodide_wasm32] python: ["cp312", "3.12"] cibw_build_frontend: 'build' - # TEMP: exclude block no longer needed when win_arm64 is commented - # exclude: - # - buildplat: [windows-11-arm, win_arm64] - # python: ["cp310", "3.10"] - # # BackendUnavailable: Cannot import 'mesonpy' - # - buildplat: [windows-11-arm, win_arm64] - # python: ["cp313t", "3.13"] + exclude: + - buildplat: [windows-11-arm, win_arm64] + python: ["cp310", "3.10"] + # BackendUnavailable: Cannot import 'mesonpy' + - buildplat: [windows-11-arm, win_arm64] + python: ["cp313t", "3.13"] env: IS_PUSH: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} @@ -228,12 +227,8 @@ jobs: - build_wheels runs-on: ubuntu-latest - # ---------- current TEST settings ---------- environment: - name: testpypi # keep while testing - # ---------- FINAL settings (uncomment) ---------- - # environment: - # name: pypi # ← enable for PyPI + name: pypi # ← enable for PyPI permissions: id-token: write # OIDC token for Trusted Publishing @@ -255,18 +250,9 @@ jobs: -name '*.whl' -exec mv {} upload/ \; find dist -name '*.tar.gz' -exec mv {} upload/ \; - # 3. Publish to TestPyPI using Trusted Publishing - - name: Publish to TestPyPI (Trusted Publishing) + # 3. Publish to PyPI using Trusted Publishing + - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - repository-url: https://test.pypi.org/legacy/ # test endpoint - packages-dir: upload - skip-existing: true - - # ---------- FINAL publish block (uncomment, remove test one above) ---------- - # - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI - # uses: pypa/gh-action-pypi-publish@release/v1 - # with: - # repository-url: https://upload.pypi.org/legacy/ # ← production endpoint - # packages-dir: upload - # # skip-existing: true # ← remove for production + repository-url: https://upload.pypi.org/legacy/ # ← production endpoint + packages-dir: upload \ No newline at end of file From 033248678ba2e7848e9cc833acdd55fdd6de8175 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 09:55:41 +0300 Subject: [PATCH 10/23] Docs & CI: add publish-comment header; final PyPI configuration --- .github/workflows/wheels.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 30e970eabadc4..80eb5a04084a9 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -220,6 +220,9 @@ jobs: set_upload_vars upload_wheels +################################################ +# Publish Wheels and Source Distribution to PyPI +################################################ publish: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') needs: @@ -228,7 +231,7 @@ jobs: runs-on: ubuntu-latest environment: - name: pypi # ← enable for PyPI + name: pypi permissions: id-token: write # OIDC token for Trusted Publishing @@ -251,8 +254,8 @@ jobs: find dist -name '*.tar.gz' -exec mv {} upload/ \; # 3. Publish to PyPI using Trusted Publishing - - name: Publish to PyPI (Trusted Publishing) # ← enable for PyPI + - name: Publish to PyPI (Trusted Publishing) uses: pypa/gh-action-pypi-publish@release/v1 with: - repository-url: https://upload.pypi.org/legacy/ # ← production endpoint + repository-url: https://upload.pypi.org/legacy/ packages-dir: upload \ No newline at end of file From c675826408ee13f8f78f1ec4b4f486ca13d2cca2 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 10:19:10 +0300 Subject: [PATCH 11/23] DOC: add Build/CI trusted-publishing entry to v3.0.0 whatsnew (#61669) --- doc/source/whatsnew/v3.0.0.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/whatsnew/v3.0.0.rst b/doc/source/whatsnew/v3.0.0.rst index 8d3ac0e396430..1dd478b8462ee 100644 --- a/doc/source/whatsnew/v3.0.0.rst +++ b/doc/source/whatsnew/v3.0.0.rst @@ -665,6 +665,14 @@ Performance improvements - Performance improvement in indexing operations for string dtypes (:issue:`56997`) - Performance improvement in unary methods on a :class:`RangeIndex` returning a :class:`RangeIndex` instead of a :class:`Index` when possible. (:issue:`57825`) +.. --------------------------------------------------------------------------- +.. _whatsnew_300.build: + +Build / CI +~~~~~~~~~~ + +- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:``) + .. --------------------------------------------------------------------------- .. _whatsnew_300.bug_fixes: From 3cac6a5d1ceec158593c6d8570fcc476046d27d6 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 10:27:32 +0300 Subject: [PATCH 12/23] CI: restore project name 'pandas' in pyproject.toml --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 8ec45c0ee3346..b17a1eacfa717 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -15,7 +15,7 @@ requires = [ build-backend = "mesonpy" [project] -name = 'evgmosme-pandas' +name = 'pandas' dynamic = [ 'version' ] From 45291a7ab6a820ef33580e4872866d5d355a0155 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 11:01:38 +0300 Subject: [PATCH 13/23] CI: normalize line endings in wheels.yml (pre-commit) --- .github/workflows/wheels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 80eb5a04084a9..c888c8e18983b 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -258,4 +258,4 @@ jobs: uses: pypa/gh-action-pypi-publish@release/v1 with: repository-url: https://upload.pypi.org/legacy/ - packages-dir: upload \ No newline at end of file + packages-dir: upload From da41c891f733a0c702106161c9aa71b7c1bb1453 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 11:07:37 +0300 Subject: [PATCH 14/23] DOC: replace with 61718 in whatsnew --- doc/source/whatsnew/v3.0.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/whatsnew/v3.0.0.rst b/doc/source/whatsnew/v3.0.0.rst index 1dd478b8462ee..658b9b4968970 100644 --- a/doc/source/whatsnew/v3.0.0.rst +++ b/doc/source/whatsnew/v3.0.0.rst @@ -671,7 +671,7 @@ Performance improvements Build / CI ~~~~~~~~~~ -- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:``) +- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:`61718`) .. --------------------------------------------------------------------------- .. _whatsnew_300.bug_fixes: From 409dcb410501f136d815fcffd117d37d2aedeb2e Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 21:13:57 +0300 Subject: [PATCH 15/23] CI: restrict publish job to upstream repo and add skip-existing --- .github/workflows/wheels.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index c888c8e18983b..ddd1471eb12c6 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -220,11 +220,8 @@ jobs: set_upload_vars upload_wheels -################################################ -# Publish Wheels and Source Distribution to PyPI -################################################ publish: - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') + if: github.repository == 'pandas-dev/pandas' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') needs: - build_sdist - build_wheels @@ -238,13 +235,11 @@ jobs: contents: read steps: - # 1. Pull every artifact produced by the two upstream jobs - name: Download all artifacts uses: actions/download-artifact@v4 with: path: dist # all files land in ./dist/** - # 2. Move wheels & sdist into a flat 'upload' dir (skip Pyodide wheels) - name: Collect files run: | mkdir -p upload @@ -253,9 +248,9 @@ jobs: -name '*.whl' -exec mv {} upload/ \; find dist -name '*.tar.gz' -exec mv {} upload/ \; - # 3. Publish to PyPI using Trusted Publishing - name: Publish to PyPI (Trusted Publishing) uses: pypa/gh-action-pypi-publish@release/v1 with: repository-url: https://upload.pypi.org/legacy/ packages-dir: upload + skip-existing: true From 50afff67dc7d3b68826b0587b0c5c6f3785bbc08 Mon Sep 17 00:00:00 2001 From: evgenii Date: Fri, 27 Jun 2025 21:13:58 +0300 Subject: [PATCH 16/23] DOC: move Trusted-Publishing note to 'Other enhancements' --- doc/source/whatsnew/v3.0.0.rst | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/doc/source/whatsnew/v3.0.0.rst b/doc/source/whatsnew/v3.0.0.rst index 658b9b4968970..a449813cf098c 100644 --- a/doc/source/whatsnew/v3.0.0.rst +++ b/doc/source/whatsnew/v3.0.0.rst @@ -91,6 +91,7 @@ Other enhancements - Support passing a :class:`Iterable[Hashable]` input to :meth:`DataFrame.drop_duplicates` (:issue:`59237`) - Support reading Stata 102-format (Stata 1) dta files (:issue:`58978`) - Support reading Stata 110-format (Stata 7) dta files (:issue:`47176`) +- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:`61718`) .. --------------------------------------------------------------------------- .. _whatsnew_300.notable_bug_fixes: @@ -665,14 +666,6 @@ Performance improvements - Performance improvement in indexing operations for string dtypes (:issue:`56997`) - Performance improvement in unary methods on a :class:`RangeIndex` returning a :class:`RangeIndex` instead of a :class:`Index` when possible. (:issue:`57825`) -.. --------------------------------------------------------------------------- -.. _whatsnew_300.build: - -Build / CI -~~~~~~~~~~ - -- Switched wheel upload to **PyPI Trusted Publishing** (OIDC) for release-tag pushes in ``wheels.yml``. (:issue:`61718`) - .. --------------------------------------------------------------------------- .. _whatsnew_300.bug_fixes: From b94eb08540cc09bd15fb5a46a545b29ef0d308a7 Mon Sep 17 00:00:00 2001 From: evgenii Date: Mon, 30 Jun 2025 09:25:13 +0300 Subject: [PATCH 17/23] workflow: enable Test PyPI publish job --- .github/workflows/wheels.yml | 75 ++++++++++++++++++++++-------------- 1 file changed, 46 insertions(+), 29 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index ddd1471eb12c6..4b03ce7cbd6cb 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -220,37 +220,54 @@ jobs: set_upload_vars upload_wheels - publish: - if: github.repository == 'pandas-dev/pandas' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') - needs: - - build_sdist - - build_wheels - runs-on: ubuntu-latest +publish: + if: > + github.repository == 'evgmosme/pandas' && + github.event_name == 'push' && + startsWith(github.ref, 'refs/tags/v') - environment: - name: pypi + needs: + - build_sdist + - build_wheels - permissions: - id-token: write # OIDC token for Trusted Publishing - contents: read + runs-on: ubuntu-latest - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: dist # all files land in ./dist/** + environment: + name: testpypi # must match the Environment in repo settings + permissions: + id-token: write # OIDC for Trusted Publishing + contents: read - - name: Collect files - run: | - mkdir -p upload - # skip anything containing 'pyodide' in the filename - find dist -name '*pyodide*.whl' -prune -o \ - -name '*.whl' -exec mv {} upload/ \; - find dist -name '*.tar.gz' -exec mv {} upload/ \; + steps: + - name: Download all artefacts + uses: actions/download-artifact@v4 + with: + path: dist # everything lands in ./dist/** - - name: Publish to PyPI (Trusted Publishing) - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://upload.pypi.org/legacy/ - packages-dir: upload - skip-existing: true + - name: Collect files + run: | + mkdir -p upload + # skip any wheel that contains 'pyodide' + find dist -name '*pyodide*.whl' -prune -o \ + -name '*.whl' -exec mv {} upload/ \; + find dist -name '*.tar.gz' -exec mv {} upload/ \; + + - name: Publish to **Test PyPI** (Trusted Publishing) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + packages-dir: upload + skip-existing: true + + # environment: + # name: pypi + # permissions: + # id-token: write + # contents: read + # + # - name: Publish to **PyPI** (Trusted Publishing) + # uses: pypa/gh-action-pypi-publish@release/v1 + # with: + # repository-url: https://upload.pypi.org/legacy/ + # packages-dir: upload + # skip-existing: true From 58cb17968d42d1472bd82d39f61ddb64ec022d46 Mon Sep 17 00:00:00 2001 From: evgenii Date: Mon, 30 Jun 2025 10:07:26 +0300 Subject: [PATCH 18/23] CI: fix indentation in wheels.yml (publish job) --- .github/workflows/wheels.yml | 88 ++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 4b03ce7cbd6cb..8d6b09cd7d12d 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -220,54 +220,54 @@ jobs: set_upload_vars upload_wheels -publish: - if: > - github.repository == 'evgmosme/pandas' && - github.event_name == 'push' && - startsWith(github.ref, 'refs/tags/v') + publish: + if: > + github.repository == 'evgmosme/pandas' && + github.event_name == 'push' && + startsWith(github.ref, 'refs/tags/v') - needs: - - build_sdist - - build_wheels + needs: + - build_sdist + - build_wheels - runs-on: ubuntu-latest + runs-on: ubuntu-latest - environment: - name: testpypi # must match the Environment in repo settings - permissions: - id-token: write # OIDC for Trusted Publishing - contents: read + environment: + name: testpypi # must match the Environment in repo settings + permissions: + id-token: write # OIDC for Trusted Publishing + contents: read - steps: - - name: Download all artefacts - uses: actions/download-artifact@v4 - with: - path: dist # everything lands in ./dist/** + steps: + - name: Download all artefacts + uses: actions/download-artifact@v4 + with: + path: dist # everything lands in ./dist/** - - name: Collect files - run: | - mkdir -p upload - # skip any wheel that contains 'pyodide' - find dist -name '*pyodide*.whl' -prune -o \ - -name '*.whl' -exec mv {} upload/ \; - find dist -name '*.tar.gz' -exec mv {} upload/ \; + - name: Collect files + run: | + mkdir -p upload + # skip any wheel that contains 'pyodide' + find dist -name '*pyodide*.whl' -prune -o \ + -name '*.whl' -exec mv {} upload/ \; + find dist -name '*.tar.gz' -exec mv {} upload/ \; - - name: Publish to **Test PyPI** (Trusted Publishing) - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://test.pypi.org/legacy/ - packages-dir: upload - skip-existing: true + - name: Publish to **Test PyPI** (Trusted Publishing) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + packages-dir: upload + skip-existing: true - # environment: - # name: pypi - # permissions: - # id-token: write - # contents: read - # - # - name: Publish to **PyPI** (Trusted Publishing) - # uses: pypa/gh-action-pypi-publish@release/v1 - # with: - # repository-url: https://upload.pypi.org/legacy/ - # packages-dir: upload - # skip-existing: true + # environment: + # name: pypi + # permissions: + # id-token: write + # contents: read + # + # - name: Publish to **PyPI** (Trusted Publishing) + # uses: pypa/gh-action-pypi-publish@release/v1 + # with: + # repository-url: https://upload.pypi.org/legacy/ + # packages-dir: upload + # skip-existing: true From 7359e1b51fe6167dae0e7dfe992a66216614ee67 Mon Sep 17 00:00:00 2001 From: evgenii Date: Mon, 30 Jun 2025 18:25:22 +0300 Subject: [PATCH 19/23] CI: trigger wheels workflow on GitHub release (add release:published) --- .github/workflows/wheels.yml | 23 ++++++----------------- doc/source/development/maintaining.rst | 6 +++--- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 8d6b09cd7d12d..776d761f30f61 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -13,6 +13,8 @@ name: Wheel builder on: + release: + types: [published] schedule: # 3:27 UTC every day - cron: "27 3 * * *" @@ -222,7 +224,7 @@ jobs: publish: if: > - github.repository == 'evgmosme/pandas' && + github.repository == 'pandas-dev/pandas' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') @@ -233,7 +235,7 @@ jobs: runs-on: ubuntu-latest environment: - name: testpypi # must match the Environment in repo settings + name: pypi permissions: id-token: write # OIDC for Trusted Publishing contents: read @@ -252,22 +254,9 @@ jobs: -name '*.whl' -exec mv {} upload/ \; find dist -name '*.tar.gz' -exec mv {} upload/ \; - - name: Publish to **Test PyPI** (Trusted Publishing) + - name: Publish to **PyPI** (Trusted Publishing) uses: pypa/gh-action-pypi-publish@release/v1 with: - repository-url: https://test.pypi.org/legacy/ + repository-url: https://upload.pypi.org/legacy/ packages-dir: upload skip-existing: true - - # environment: - # name: pypi - # permissions: - # id-token: write - # contents: read - # - # - name: Publish to **PyPI** (Trusted Publishing) - # uses: pypa/gh-action-pypi-publish@release/v1 - # with: - # repository-url: https://upload.pypi.org/legacy/ - # packages-dir: upload - # skip-existing: true diff --git a/doc/source/development/maintaining.rst b/doc/source/development/maintaining.rst index c37925f7e271a..7b38eceeb761c 100644 --- a/doc/source/development/maintaining.rst +++ b/doc/source/development/maintaining.rst @@ -445,9 +445,9 @@ which will be triggered when the tag is pushed. - Set as the latest release: Leave checked, unless releasing a patch release for an older version (e.g. releasing 1.4.5 after 1.5 has been released) -5. Upload wheels to PyPI:: - - twine upload pandas/dist/pandas-*.{whl,tar.gz} --skip-existing +5. Wheels are uploaded automatically by GitHub Actions + via **Trusted Publishing** when the GitHub *Release* + is published. No manual ``twine upload`` step is required. 6. The GitHub release will after some hours trigger an `automated conda-forge PR `_. From f48275914347ab8da5413a8b7893f8130bb2ee35 Mon Sep 17 00:00:00 2001 From: Evgenii Mosikhin <147685598+evgmosme@users.noreply.github.com> Date: Tue, 1 Jul 2025 06:37:49 +0300 Subject: [PATCH 20/23] Update .github/workflows/wheels.yml Co-authored-by: Laurie O --- .github/workflows/wheels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 776d761f30f61..36a48a61867f8 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -225,7 +225,7 @@ jobs: publish: if: > github.repository == 'pandas-dev/pandas' && - github.event_name == 'push' && + github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') needs: From 0aa892f80291da9877e3ad65f828de4fbf0fb12a Mon Sep 17 00:00:00 2001 From: Evgenii Mosikhin <147685598+evgmosme@users.noreply.github.com> Date: Tue, 1 Jul 2025 06:38:11 +0300 Subject: [PATCH 21/23] Update doc/source/development/maintaining.rst Co-authored-by: Laurie O --- doc/source/development/maintaining.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/source/development/maintaining.rst b/doc/source/development/maintaining.rst index 7b38eceeb761c..71e82a4776ac3 100644 --- a/doc/source/development/maintaining.rst +++ b/doc/source/development/maintaining.rst @@ -446,7 +446,8 @@ which will be triggered when the tag is pushed. (e.g. releasing 1.4.5 after 1.5 has been released) 5. Wheels are uploaded automatically by GitHub Actions - via **Trusted Publishing** when the GitHub *Release* + via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/) + when the GitHub [*Release*](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) is published. No manual ``twine upload`` step is required. 6. The GitHub release will after some hours trigger an From da3c2813f10ca978d8ab8fc370bc533fafa2d844 Mon Sep 17 00:00:00 2001 From: Evgenii Mosikhin <147685598+evgmosme@users.noreply.github.com> Date: Tue, 1 Jul 2025 06:38:39 +0300 Subject: [PATCH 22/23] Update doc/source/development/maintaining.rst Co-authored-by: Laurie O --- doc/source/development/maintaining.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/development/maintaining.rst b/doc/source/development/maintaining.rst index 71e82a4776ac3..4b19369df2616 100644 --- a/doc/source/development/maintaining.rst +++ b/doc/source/development/maintaining.rst @@ -448,7 +448,7 @@ which will be triggered when the tag is pushed. 5. Wheels are uploaded automatically by GitHub Actions via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/) when the GitHub [*Release*](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) - is published. No manual ``twine upload`` step is required. + is published. Do not run ``twine upload`` manually. 6. The GitHub release will after some hours trigger an `automated conda-forge PR `_. From ba4c3bd28c2098dce41c62035163c434c4532e1f Mon Sep 17 00:00:00 2001 From: Evgenii Mosikhin <147685598+evgmosme@users.noreply.github.com> Date: Tue, 1 Jul 2025 06:38:59 +0300 Subject: [PATCH 23/23] Update doc/source/development/maintaining.rst Co-authored-by: Laurie O --- doc/source/development/maintaining.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/development/maintaining.rst b/doc/source/development/maintaining.rst index 4b19369df2616..6462b9b194776 100644 --- a/doc/source/development/maintaining.rst +++ b/doc/source/development/maintaining.rst @@ -445,7 +445,7 @@ which will be triggered when the tag is pushed. - Set as the latest release: Leave checked, unless releasing a patch release for an older version (e.g. releasing 1.4.5 after 1.5 has been released) -5. Wheels are uploaded automatically by GitHub Actions +5. Verify wheels are uploaded automatically by GitHub Actions via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/) when the GitHub [*Release*](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) is published. Do not run ``twine upload`` manually.