Use Trusted Publishing on PyPI

abelcheung · Oct 21, 2023 · 380be99 · 380be99
1 parent 2e24427
commit 380be99
Showing 1 changed file with 4 additions and 11 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,8 +4,6 @@ on:
   push:
     tags:
       - '20*'
-permissions:
-  contents: write
 
 jobs:
   all_tests:
@@ -16,6 +14,10 @@ jobs:
   release:
     needs: all_tests
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+      contents: write
     steps:
 
     - name: Download artifact
@@ -37,19 +39,10 @@ jobs:
         contains(github.ref_name, 'pre')
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.testpypi_token }}
         repository-url: https://test.pypi.org/legacy/
-        verbose: true
-        print-hash: true
 
     - name: Publish to PyPI
       if: >
         ! contains(github.ref_name, 'rc') &&
         ! contains(github.ref_name, 'pre')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.pypi_token }}
-        verbose: true
-        print-hash: true