diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml index e6ee3e6072d89..d24bf983a1f69 100644 --- a/.github/workflows/_release.yml +++ b/.github/workflows/_release.yml @@ -16,6 +16,13 @@ jobs: # Disallow publishing from branches that aren't `master`. if: github.ref == 'refs/heads/master' runs-on: ubuntu-latest + permissions: + # This permission is used for trusted publishing: + # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ + # + # Trusted publishing has to also be configured on PyPI for each package: + # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ + id-token: write defaults: run: working-directory: ${{ inputs.working-directory }} @@ -44,8 +51,9 @@ jobs: generateReleaseNotes: true tag: v${{ steps.check-version.outputs.version }} commit: master - - name: Publish to PyPI - env: - POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_API_TOKEN }} - run: | - poetry publish + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: ${{ inputs.working-directory }}/dist/ + verbose: true + print-hash: true