A GitHub Action that builds and publishes Python packages to AWS CodeArtifact using uv.
- Builds Python packages with
uv build(works with any PEP 517 build backend) - Publishes to AWS CodeArtifact via OIDC authentication
- Computes fallback versions for projects with a static
versioninpyproject.toml:- Push to branch:
X.Y.Z.devN+gHASH.dDATE(dev number from git distance, local identifier from commit hash and date) - Pre-release:
X.Y.ZrcN(release candidate) - Release: version from the release tag
- Push to branch:
- Projects using dynamic versioning (e.g.,
hatch-vcs) determine their own version at build time - Writes the actual published version and install instructions to the GitHub job summary
name: Publish to CodeArtifact
on:
push:
branches: ["**"]
release:
types: [released, prereleased]
permissions:
id-token: write # Required for AWS OIDC
contents: read
jobs:
publish:
runs-on: ubuntu-24.04
steps:
- uses: CVector-Energy/publish-to-codeartifact@main
with:
package-name: my-package
iam-role: arn:aws:iam::123456789012:role/MyDeploymentRole
codeartifact-domain: my-domain
codeartifact-domain-owner: "123456789012"
codeartifact-repository: my-repo| Input | Required | Default | Description |
|---|---|---|---|
package-name |
Yes | Python package name (used in job summary) | |
iam-role |
Yes | ARN of the AWS IAM role to assume via OIDC | |
aws-region |
No | us-east-1 |
AWS region |
codeartifact-domain |
Yes | CodeArtifact domain name | |
codeartifact-domain-owner |
Yes | CodeArtifact domain owner AWS account ID | |
codeartifact-repository |
Yes | CodeArtifact repository name | |
uv-index-name |
No | Name of the uv index (from [[tool.uv.index]]) to authenticate for reading private dependencies during build |
The calling workflow must set permissions: id-token: write for AWS OIDC authentication to work.
The IAM role must have permissions to:
codeartifact:GetAuthorizationTokenon the domaincodeartifact:GetRepositoryEndpoint,codeartifact:PublishPackageVersion,codeartifact:PutPackageMetadata,codeartifact:ReadFromRepositoryon the repositorysts:GetServiceBearerTokenfor CodeArtifact service