Skip to content

Release

This document describes the public OSS release flow for dpone.

Prerequisites

  • GitHub repository: PaulKov/dpone.
  • PyPI project: dpone.
  • License: Apache-2.0.
  • Preferred publishing mode: PyPI Trusted Publishing through GitHub Actions.
  • Fallback publishing mode: short-lived PyPI API token stored as PYPI_API_TOKEN.

Before publishing, revoke any GitHub or PyPI tokens that were pasted into chats, issues, logs, or commits.

Pre-release checks

uv sync --all-extras
uv run ruff check .
uv run ruff format --check .
uv run mypy --config-file mypy.ini
uv run pytest -m "not integration_live"
uv build
uv tool run twine check dist/*

Secret hygiene checks:

detect-secrets scan --force-use-all-plugins $(git ls-files)
git grep -I -n -E 'ghp_|github_pat_|pypi-|AKIA|PRIVATE KEY' -- ':!uv.lock'

The commands above must not print real credentials. If a credential appears in chat, terminal output, issues, logs, commits, or pull requests, rotate it before publishing and use PyPI Trusted Publishing instead of a long-lived PyPI token.

Package smoke from a fresh environment:

python -m venv /tmp/dpone-release-smoke
/tmp/dpone-release-smoke/bin/pip install -U pip
/tmp/dpone-release-smoke/bin/pip install dist/*.whl
/tmp/dpone-release-smoke/bin/python tools/package_smoke.py --project-root . --dpone-cmd /tmp/dpone-release-smoke/bin/dpone

Release process

  1. Update CHANGELOG.md.
  2. Ensure pyproject.toml contains the target version.
  3. Confirm the public names are available or owned by the maintainer: PaulKov/dpone on GitHub and dpone on PyPI.
  4. Push changes to master through a reviewed PR.
  5. Wait for GitHub Actions CI to pass on master.
  6. Create an annotated tag:
git tag -a vX.Y.Z -m "Release vX.Y.Z"
git push origin vX.Y.Z
  1. GitHub Actions builds artifacts and publishes them to PyPI.
  2. Verify the public install:
python -m venv /tmp/dpone-pypi-smoke
/tmp/dpone-pypi-smoke/bin/pip install -U pip
/tmp/dpone-pypi-smoke/bin/pip install "dpone[full]==X.Y.Z"
/tmp/dpone-pypi-smoke/bin/dpone --help

Publication blockers

Do not publish if any of these are true:

  • A GitHub or PyPI credential was pasted into chat, terminal output, docs, commits, issues, or pull requests and has not been rotated.
  • GitHub Actions has not passed on the exact commit being tagged.
  • uv tool run twine check dist/* fails.
  • A fresh environment cannot install both dpone and dpone[full].
  • The package name dpone on PyPI or repo name PaulKov/dpone on GitHub is not available to the maintainer account.

Version policy

dpone uses SemVer once public APIs stabilize. During 0.x, minor versions may still include breaking changes, but they must be documented in CHANGELOG.md and Compatibility.