# 语义化版本规范示例
class SemanticVersion:"""语义化版本管理"""def __init__(self, major: int, minor: int, patch: int):self.major = majorself.minor = minorself.patch = patchdef bump_major(self):"""不兼容的API变更"""self.major += 1self.minor = 0self.patch = 0def bump_minor(self):"""向后兼容的功能新增"""self.minor += 1self.patch = 0def bump_patch(self):"""向后兼容的问题修正"""self.patch += 1def __str__(self):return f"{self.major}.{self.minor}.{self.patch}"# 使用示例
version = SemanticVersion(1, 0, 0)
version.bump_minor()
print(version)  # 输出: 1.1.0

# 动态版本文件(由工具自动生成)
__version__ = "1.0.0"

[tool.setuptools_scm]
write_to = "src/my_package/_version.py"

[build-system]
requires = ["setuptools>=42","wheel","setuptools_scm>=6.0"
]
build-backend = "setuptools.build_meta"[project]
name = "my_package"
description = "My awesome package"
authors = [{name = "Your Name", email = "your.email@example.com"}]
readme = "README.md"
requires-python = ">=3.8"
license = {text = "MIT"}
classifiers = ["Development Status :: 4 - Beta","Intended Audience :: Developers",
][project.urls]
Homepage = "https://github.com/you/my_package"
Documentation = "https://my_package.readthedocs.io"

name: Build Packageon: [push, pull_request]jobs:build:runs-on: ubuntu-lateststrategy:matrix:python-version: ["3.8", "3.9", "3.10"]steps:- uses: actions/checkout@v3- name: Set up Python ${{ matrix.python-version }}uses: actions/setup-python@v4with:python-version: ${{ matrix.python-version }}- name: Install dependenciesrun: |python -m pip install --upgrade pippip install build- name: Build packagerun: python -m build- name: Verify packagerun: pip install twine && twine check dist/*

name: Publish Packageon:release:types: [published]jobs:deploy:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v3- name: Set up Pythonuses: actions/setup-python@v4with:python-version: "3.10"- name: Install dependenciesrun: |python -m pip install --upgrade pippip install build twine- name: Build packagerun: python -m build- name: Publish to PyPIenv:TWINE_USERNAME: __token__TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}run: twine upload dist/*

# 测试发布流程
python -m build
twine upload --repository testpypi dist/*# 从测试仓库安装验证
pip install --index-url https://test.pypi.org/simple/ my_package

[distutils]
index-servers =pypiprivate[pypi]
username = __token__
password = pypi-your-token[private]
repository = https://your.company.com/pypi
username = your-username
password = your-password

[[tool.poetry.source]]
name = "private"
url = "https://your.company.com/pypi/simple"
secondary = true

# 生成GPG密钥
gpg --full-generate-key# 签名包
gpg --detach-sign -a dist/my_package-1.0.0.tar.gz# 验证签名
gpg --verify my_package-1.0.0.tar.gz.asc

import gnupg
import tempfile
import shutilclass PackageVerifier:"""包验证器"""def __init__(self, keyring_dir=None):self.gpg = gnupg.GPG(keyring=keyring_dir)if not keyring_dir:self.temp_dir = tempfile.mkdtemp()self.gpg = gnupg.GPG(gnupghome=self.temp_dir)def import_key(self, key_data):"""导入公钥"""return self.gpg.import_keys(key_data)def verify(self, package_path, signature_path):"""验证包签名"""with open(package_path, 'rb') as f, open(signature_path, 'rb') as sig:return self.gpg.verify_file(sig, data_file=f)def __del__(self):if hasattr(self, 'temp_dir'):shutil.rmtree(self.temp_dir)# 使用示例
verifier = PackageVerifier()
verifier.import_path(open('public.key').read())
result = verifier.verify('dist/my_package-1.0.0.tar.gz', 'dist/my_package-1.0.0.tar.gz.asc')
print("Valid signature:" if result else "Invalid signature")

[tox]
envlist = py{38,39,310}[testenv]
deps =pytest>=6.0pytest-cov
commands =pytest --cov=my_package tests/

[project.optional-dependencies]
win = ["pywin32>=300; sys_platform=='win32'"]
mac = ["pyobjc>=8.0; sys_platform=='darwin'"]
linux = ["dbus-python>=1.2; sys_platform=='linux'"]

import requests
from datetime import datetime, timedeltaclass PyPIStats:"""PyPI统计监控"""BASE_URL = "https://pypistats.org/api"@classmethoddef get_recent_downloads(cls, package: str, period: str = "week"):"""获取近期下载量"""url = f"{cls.BASE_URL}/packages/{package}/recent"params = {"period": period}response = requests.get(url, params=params)return response.json()@classmethoddef get_version_downloads(cls, package: str):"""获取版本下载量"""url = f"{cls.BASE_URL}/packages/{package}/versions"response = requests.get(url)return response.json()# 使用示例
stats = PyPIStats.get_recent_downloads("my_package")
print(f"Recent downloads: {stats['data']['last_week']}")

import subprocess
import sysdef rollback_version(package: str, version: str):"""回滚到指定版本"""try:subprocess.run([sys.executable, "-m", "pip","install",f"{package}=={version}","--force-reinstall","--no-cache-dir"], check=True)print(f"Successfully rolled back to {package}=={version}")except subprocess.CalledProcessError as e:print(f"Rollback failed: {str(e)}")sys.exit(1)# 使用示例
rollback_version("my_package", "1.0.0")

from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component
from cyclonedx.output import get_instance
import jsonclass SBOMGenerator:"""SBOM生成器"""@staticmethoddef generate(package_name: str, version: str, dependencies: dict):"""生成CycloneDX格式的SBOM"""bom = Bom()# 添加主包main_component = Component(name=package_name,version=version,type="library")bom.add_component(main_component)# 添加依赖for dep_name, dep_version in dependencies.items():dep_component = Component(name=dep_name,version=dep_version,type="library")bom.add_component(dep_component)# 输出JSON格式output = get_instance(bom, output_format="json")return json.loads(output.output_as_string())# 使用示例
dependencies = {"requests": "2.28.1","numpy": "1.23.5"
}
sbom = SBOMGenerator.generate("my_package", "1.0.0", dependencies)
with open("sbom.json", "w") as f:json.dump(sbom, f, indent=2)

import hashlibdef verify_sbom(sbom_path: str):"""验证SBOM完整性"""with open(sbom_path, "rb") as f:content = f.read()sha256 = hashlib.sha256(content).hexdigest()# 将哈希值存储在安全的地方(如签名文件)with open(f"{sbom_path}.sha256", "w") as f:f.write(sha256)return sha256# 使用示例
sbom_hash = verify_sbom("sbom.json")
print(f"SBOM SHA256: {sbom_hash}")