ci: Switch to Trusted Publisher method for PyPI

Testing out the Trusted Publisher method for PyPI: https://docs.pypi.org/trusted-publishers/ This should allow us to avoid using an org-wide secret, in favor of short-lived tokens generated by GitHub.
edx · Aug 9, 2024 · ea5080f · ea5080f
1 parent 38437d4
commit ea5080f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -8,6 +8,13 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-22.04
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/edx-arch-experiments
+    permissions:
+      id-token: write  # used by pypi-publish
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
@@ -22,6 +29,3 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_UPLOAD_TOKEN }}
diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml
@@ -6,6 +6,13 @@ on:
 jobs:
   test-publish:
     runs-on: ubuntu-22.04
+
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/edx-arch-experiments
+    permissions:
+      id-token: write  # used by pypi-publish
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
@@ -21,8 +28,6 @@ jobs:
       - name: Publish to PyPI (test server)
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TEST_UPLOAD_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
           skip_existing: true