Skip to content

Commit

Permalink
ci: Use PyPI Trusted Publisher for publishing package (#294)
Browse files Browse the repository at this point in the history
* Use the OpenID Connect (OIDC) standard to publish to PyPI and TestPyPI
  using PyPI's "Trusted Publisher" implementation to publish without
  using API tokens stored as GitHub Actions secrets. Use an optional
  GitHub Actions environment to further restrict publishing to selected
  branches for additional security.
   - c.f. https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
   - c.f. https://docs.pypi.org/trusted-publishers/
  • Loading branch information
matthewfeickert authored May 28, 2024
1 parent 02663e3 commit 0d4b0a8
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions .github/workflows/wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,13 @@ jobs:
upload_all:
needs: [build_wheels, make_sdist]
runs-on: ubuntu-latest
# Restrict to the environment set for the trusted publisher
environment:
name: publish
# Mandatory for publishing with a trusted publisher
# c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/
permissions:
id-token: write
if: github.event_name == 'release' && github.event.action == 'published'

steps:
Expand All @@ -108,6 +115,4 @@ jobs:

- uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
# Remember to generate this and set it in "GitHub Secrets"
password: ${{ secrets.pypi_password }}
print-hash: true

0 comments on commit 0d4b0a8

Please sign in to comment.