build: fix python upload workflows

igaw · igaw · commit 9d275a3cdfcb · 2025-04-10T15:32:36.000+02:00
Use virtual python environment to install the packaging tool.

Signed-off-by: Daniel Wagner &lt;wagi@kernel.org&gt;
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
@@ -11,10 +11,6 @@ on:
 
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
-
 jobs:
   build_sdist:
     name: Build source distribution
@@ -38,50 +34,68 @@ jobs:
   upload_test_pypi:
     needs: [build_sdist]
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     steps:
       - name: Install Python (if missing)
-        run: apt-get update && apt-get install -y python3 python3-pip
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3 python3-pip
 
       - name: Update python dependencies
-        run: python3 -m pip install -U packaging --break-system-packages
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          pip install -U packaging
 
       - uses: actions/download-artifact@v4
         with:
           name: artifact
           path: dist
 
       - name: Publish package to TestPyPI
+        env:
+          PATH: ${{ github.workspace }}/venv/bin:$PATH
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
 
   upload_pypi:
     needs: [build_sdist]
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'linux-nvme/libnvme'
     steps:
       - name: Install Python (if missing)
-        run: apt-get update && apt-get install -y python3 python3-pip
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3 python3-pip
 
       - name: Update python dependencies
-        run: python3 -m pip install -U packaging --break-system-packages
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          pip install -U packaging
 
       - name: Check if it is a release tag
         id: check-tag
         run: |
            if [[ ${{ github.event.ref }} =~ ^refs/tags/v([0-9]+\.[0-9]+)(\.[0-9]+)?(-rc[0-9]+)?$ ]]; then
                echo ::set-output name=match::true
            fi
+
       - name: Download artifiact
         uses: actions/download-artifact@v4
         if: steps.check-tag.outputs.match == 'true'
         with:
           name: artifact
           path: dist
+
       - name: Publish package to PyPI
+        env:
+          PATH: ${{ github.workspace }}/venv/bin:$PATH
         uses: pypa/gh-action-pypi-publish@release/v1
         if: steps.check-tag.outputs.match == 'true'
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          verify-metadata: false
