From ea5080f918d71a80aaf7a309cc5b6b49f12b9a13 Mon Sep 17 00:00:00 2001 From: Tim McCormack Date: Fri, 9 Aug 2024 15:30:34 +0000 Subject: [PATCH] ci: Switch to Trusted Publisher method for PyPI Testing out the Trusted Publisher method for PyPI: https://docs.pypi.org/trusted-publishers/ This should allow us to avoid using an org-wide secret, in favor of short-lived tokens generated by GitHub. --- .github/workflows/publish.yml | 10 +++++++--- .github/workflows/test_publish.yml | 9 +++++++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f8567ac..4182b6e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,6 +8,13 @@ on: jobs: publish: runs-on: ubuntu-22.04 + + environment: + name: pypi + url: https://pypi.org/p/edx-arch-experiments + permissions: + id-token: write # used by pypi-publish + steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 @@ -22,6 +29,3 @@ jobs: - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 - with: - user: __token__ - password: ${{ secrets.PYPI_UPLOAD_TOKEN }} diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml index 8116ca6..788a3d0 100644 --- a/.github/workflows/test_publish.yml +++ b/.github/workflows/test_publish.yml @@ -6,6 +6,13 @@ on: jobs: test-publish: runs-on: ubuntu-22.04 + + environment: + name: testpypi + url: https://test.pypi.org/p/edx-arch-experiments + permissions: + id-token: write # used by pypi-publish + steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 @@ -21,8 +28,6 @@ jobs: - name: Publish to PyPI (test server) uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_TEST_UPLOAD_TOKEN }} repository_url: https://test.pypi.org/legacy/ skip_existing: true