cI: Switch to trusted publisher workflow

fixes #151
mj0nez · Jul 23, 2024 · 0bba6fd · 0bba6fd
1 parent ada11d0
commit 0bba6fd
Showing 1 changed file with 21 additions and 23 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,26 +1,24 @@
-# This workflows will upload a Python Package to pypi using Twine when a release is created or modified (see trigger).
-# To create a release:
-# * open https://github.com/mj0nez/energy-datetime-utils/releases/new
-# * create a new tag (preferably on main) with a semantic version e.g. 'v1.2.3' (the leading 'v' is important)
-# * autogenerate release notes
-# * publish release
+# This GitHub workflow is only needed for python package releases which are supposed to be published on pypi.
+# It requires the Github "environments" feature (see instructions below) it might not be available for private free accounts (but works for public or organization repos).
+# After creating the "release" environment in the Github repo settings, you need to enter your Github organization/username + repo name + "release.yml" workflow file name in the PyPI UI to make this work.
+
+# This workflow uploads a Python Package using Twine when a release is created.
 # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
 name: Upload Python Package
 
 on:
   release:
-    branches: main
-    types: [created, edited]
+    types: [ created, edited ]
 
 jobs:
   tests:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        python-version: ["3.12"]
-        os: [ubuntu-latest]
+        python-version: [ "3.12" ]
+        os: [ ubuntu-latest ]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}
@@ -33,11 +31,18 @@ jobs:
           pip install tox
       - name: Run tox
         run: |
-          tox -e tests
+          tox
+
   build-n-publish:
     name: Build and publish Python 🐍 distributions 📦 to PyPI and TestPyPI
     runs-on: ubuntu-latest
-    needs: tests # under no circumstances we want to publish a release that didn't pass the tests
+    # Specifying a GitHub environment, # Specifying a GitHub environment, which is strongly recommended by PyPI: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+    # you have to create an environment in your repository settings and add the environment name here
+    environment: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+    needs: tests
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -47,18 +52,11 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install build twine
-      - name: Build a binary wheel and a source tarball
+          pip install -r dev_requirements/requirements-packaging.txt
+      - name: Build wheel and source distributions
         run: |
           python -m build
-      - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
       - name: Publish distribution 📦 to PyPI
-        if: startsWith(github.ref, 'refs/tags/v') # the tag name has to be v1.2.3 (with 1.2.3 being the semver)
+        if: startsWith(github.ref, 'refs/tags/v')
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }} # <-- add this to the repo secrets https://github.com/mj0nez/energy-datetime-utils/settings/secrets/actions
+