Trusted publishing for PyPI.org

b-long · b-long · commit 98339d30227d · 2024-12-11T17:30:11.000-05:00
diff --git a/.github/workflows/publish-test.yaml b/.github/workflows/publish-test.yaml
@@ -204,6 +204,11 @@ jobs:
               PROJECT_VESION=$(poetry version -s)
               echo "PROJECT_VESION=$PROJECT_VESION" >> $GITHUB_ENV
 
+        # Publish with "trusted publisher" mechanism:
+        # https://docs.pypi.org/trusted-publishers/
+        #
+        # Requires GHA token permission (above in YAML) and PyPI magement:
+        #   https://test.pypi.org/manage/project/otdf-python/settings/publishing/
         - name: Publish package distributions to PyPI
           uses: pypa/gh-action-pypi-publish@release/v1
           with:
@@ -216,5 +221,6 @@ jobs:
                 README.md,
                 dist/*.whl
             body: otdf_python version ${{ env.PROJECT_VESION }}
+            makeLatest: "false"
             tag: "${{ env.PROJECT_VESION }}-dev-${{ github.sha }}"
             # tag: v${{ env.PROJECT_VESION }}
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -180,6 +180,8 @@ jobs:
   release:
     permissions:
       contents: write
+      # This permission is mandatory for PyPI's trusted publishing
+      id-token: write
     needs: [build_macos, build_linux_x86_64]
     runs-on: ubuntu-latest
     # if: github.ref == 'refs/heads/main'
@@ -202,16 +204,16 @@ jobs:
               PROJECT_VESION=$(poetry version -s)
               echo "PROJECT_VESION=$PROJECT_VESION" >> $GITHUB_ENV
 
-        - name: Install twine
-          run: pip install twine
-
-        - name: Upload to PyPI
-          env:
-            TWINE_UPLOAD_URL: https://upload.pypi.org/legacy/
-            PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
-            PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-          run: |
-            twine upload --password "$PYPI_PASSWORD" --user "$PYPI_USERNAME" --repository-url "$TWINE_UPLOAD_URL" dist/*
+        # Publish with "trusted publisher" mechanism:
+        # https://docs.pypi.org/trusted-publishers/
+        #
+        # Requires GHA token permission (above in YAML) and PyPI magement:
+        #   https://pypi.org/manage/project/otdf-python/settings/publishing/
+        - name: Publish package distributions to PyPI
+          uses: pypa/gh-action-pypi-publish@release/v1
+          with:
+            # repository-url: https://pypi.org/legacy/
+            packages-dir: dist/
 
         - uses: ncipollo/release-action@v1
           with:
