Any caveats with autodeploy

Is there any security problems with travis autodeploy to pypi? I want to add this feature to some projects and aioftp is one of them.

You may issue a scoped access token from PyPI and securely store the token into .travis.yml using travis encrypt command.
By configuring .travis.yml to execute the deployment step only when the commit is explicitly tagged, you can allow any contributor with the push permission to make a new PyPI release without leaking the password nor full access of your PyPI account. You can always revoke the token if something goes wrong.

Thank you! So, is this a good practise?

It is, but there’s a known issue that sometimes travis’ encryption CLI errors out with PyPI API tokens for an unknown reason. This doesn’t happen to all of the repos, though. So you can use it if it works.

FWIW feel free to ping me for review in the PR.

Another option is to use GitHub Actions as they have built-in Secrets store on the repo level. See: https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

Wow! Did not heard of github actions method. Nice to see multiple solutions. Thank you!

1 Like

Very many aio-libs projects use Travis, and very many of them deploy on PyPI by Travis on pushing git tag.

I think this is a good practice.