feat(release): publish tagged artifacts to PyPI

evopen · evopen · commit 53fb5bde985b · 2026-03-27T11:18:30.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,19 @@ on:
   workflow_dispatch:
 
 jobs:
+  release-version-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Validate tag, project version, and PyPI version
+        run: python scripts/check_release_version.py
+
   typecheck:
     runs-on: ubuntu-latest
 
@@ -30,7 +43,9 @@ jobs:
 
   sdist:
     runs-on: ubuntu-latest
-    needs: typecheck
+    needs:
+      - release-version-check
+      - typecheck
 
     steps:
       - uses: actions/checkout@v4
@@ -61,7 +76,9 @@ jobs:
 
   wheels:
     runs-on: ${{ matrix.os }}
-    needs: typecheck
+    needs:
+      - release-version-check
+      - typecheck
     strategy:
       fail-fast: false
       matrix:
@@ -93,16 +110,17 @@ jobs:
           name: rapidobj-wheels-${{ matrix.os }}
           path: wheelhouse/*.whl
 
-  publish-testpypi:
-    name: Publish to TestPyPI
+  publish-pypi:
+    name: Publish to PyPI
     runs-on: ubuntu-latest
     needs:
+      - release-version-check
       - sdist
       - wheels
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     environment:
-      name: testpypi
-      url: https://test.pypi.org/p/rapidobj
+      name: pypi
+      url: https://pypi.org/p/rapidobj
     permissions:
       id-token: write
       contents: read
@@ -121,7 +139,5 @@ jobs:
           merge-multiple: true
           path: dist
 
-      - name: Publish package distributions to TestPyPI
+      - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
diff --git a/README.md b/README.md
@@ -12,18 +12,24 @@ stay efficient.
 
 ## Install
 
+From PyPI:
+
+```bash
+python -m pip install rapidobj
+```
+
 From source:
 
 ```bash
 uv sync
 uv build --wheel --python 3.12 --no-sources
-python -m pip install dist/rapidobj-0.1.0-cp312-cp312-*.whl
+python -m pip install dist/rapidobj-0.1.3-cp312-cp312-*.whl
 ```
 
 For release builds, GitHub Actions is the authoritative wheel pipeline. Pull
 requests validate the package, and version tags build Linux and Windows wheels
-for CPython 3.12, 3.13, and 3.14. Tag builds also publish the validated
-artifacts to TestPyPI via Trusted Publishing.
+for CPython 3.12, 3.13, and 3.14. Tag builds publish the validated artifacts
+to PyPI via Trusted Publishing after a strict version check.
 
 ## Minimal Usage
 
diff --git a/RELEASE.md b/RELEASE.md
@@ -4,6 +4,11 @@
 
 Use semantic version tags: `vX.Y.Z`.
 
+Production releases must satisfy all of the following:
+- the Git tag is `vX.Y.Z`
+- `[project].version` in `pyproject.toml` is `X.Y.Z`
+- `X.Y.Z` is not already published on PyPI
+
 ## Local Validation
 
 1. Clean old artifacts.
@@ -28,11 +33,12 @@ Use semantic version tags: `vX.Y.Z`.
    - `sdist` build and smoke test
    - Linux and Windows wheel builds for CPython `3.12`, `3.13`, and `3.14`
 2. Version tags (`vX.Y.Z`) run the release workflow:
+   - verify that tag version, `pyproject.toml` version, and PyPI publishability match
    - build the `sdist`
    - build Linux and Windows wheel artifacts
    - run metadata checks and smoke tests
    - upload artifacts to GitHub Actions
-   - publish those exact artifacts to TestPyPI via Trusted Publishing
+   - publish those exact artifacts to PyPI via Trusted Publishing
 
 ## GitHub Source Release
 
@@ -43,14 +49,10 @@ Use semantic version tags: `vX.Y.Z`.
 3. Wait for the release workflow to finish and download the generated artifacts if needed.
 4. Create GitHub release from the tag and include changelog notes.
 
-## TestPyPI Publish
-
-1. Configure a Trusted Publisher for the repository on TestPyPI.
-2. Push a version tag (`vX.Y.Z`).
-3. Wait for the `Release Artifacts` workflow to finish.
-4. Verify the package page and an install from TestPyPI.
-
 ## PyPI Publish
 
-1. After TestPyPI validation, point the publish job at production PyPI.
-2. Reuse the same tag-triggered artifact publish flow with Trusted Publishing.
+1. Configure a Trusted Publisher for the repository on PyPI.
+2. Bump `[project].version` in `pyproject.toml`.
+3. Push a matching version tag (`vX.Y.Z`).
+4. Wait for the `Release Artifacts` workflow to finish.
+5. Verify the package page and an install from PyPI.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "rapidobj"
-version = "0.1.0"
+version = "0.1.3"
 description = "Fast OBJ parser with Python bindings"
 readme = "README.md"
 license = { file = "LICENSE" }
diff --git a/scripts/check_release_version.py b/scripts/check_release_version.py
@@ -0,0 +1,66 @@
+"""Validate tag, project version, and PyPI publishability for releases."""
+
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+import sys
+import tomllib
+import urllib.error
+import urllib.request
+
+
+def fail(message: str) -> int:
+    print(f"ERROR: {message}", file=sys.stderr)
+    return 1
+
+
+def main() -> int:
+    event_name = os.environ.get("GITHUB_EVENT_NAME", "")
+    ref = os.environ.get("GITHUB_REF", "")
+
+    if not (event_name == "push" and ref.startswith("refs/tags/v")):
+        print("Skipping release version check outside tag push context.")
+        return 0
+
+    tag_version = ref.removeprefix("refs/tags/v")
+    pyproject = Path("pyproject.toml")
+    data = tomllib.loads(pyproject.read_text(encoding="utf-8"))
+    project = data["project"]
+    package_name = project["name"]
+    project_version = project["version"]
+
+    print(f"Package: {package_name}")
+    print(f"Tag version: {tag_version}")
+    print(f"pyproject.toml version: {project_version}")
+
+    if project_version != tag_version:
+        return fail(
+            "Tag version does not match pyproject.toml version "
+            f"({tag_version} != {project_version})."
+        )
+
+    url = f"https://pypi.org/pypi/{package_name}/json"
+    try:
+        with urllib.request.urlopen(url) as response:
+            pypi_data = json.load(response)
+    except urllib.error.HTTPError as exc:
+        if exc.code == 404:
+            print("Package does not exist on PyPI yet; version is publishable.")
+            return 0
+        raise
+
+    releases = pypi_data.get("releases", {})
+    latest = pypi_data.get("info", {}).get("version", "<unknown>")
+    print(f"Latest version on PyPI: {latest}")
+
+    if tag_version in releases and releases[tag_version]:
+        return fail(f"Version {tag_version} is already published on PyPI.")
+
+    print(f"Version {tag_version} is not yet published on PyPI.")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
