The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI, the tokenless way: https://github.com/marketplace/actions/pypi-publish - pypa/gh-action-pypi-publish
I just released llm-smollm2, a new plugin for LLM that bundles a quantized copy of the SmolLM2-135M-Instruct LLM inside of the Python package. This means you can now pip install …
commit rules, semantic version, conventional commits
This guide is maintained by the scientific Python community for the benefit of fellow scientists and research software engineers.
GitHub’s own CI called GitHub Actions has been out of closed beta for a while and offers generous free quotas and a seamless integration with the rest of the site. Let’s have a look at how to use it for an open source Python package.
Announcing support for PEP 740 on the Python Package Index
Scribbling down how I automated publishing to PyPI with GitHub Actions.
How to update your Python project for PEP 639
A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml file would have noticed something odd was going on thanks to the lock file including attestation data.
Audit rules, examples, and remediations.
Analysis of a package targeted by a supply-chain attack to the build and release process
Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called “trusted publishing.” Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also […]