Configure PyPI upload to use trusted publishing

coldfix · Nov 18, 2023 · 80739ae · 80739ae
1 parent d06271f
commit 80739ae
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,8 +4,8 @@ on:
   pull_request:
 
 jobs:
-  pypi:
-    name: pypi.org
+  build:
+    name: Build and check package
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -17,14 +17,23 @@ jobs:
       - run: python setup.py sdist bdist_wheel
       - run: twine check dist/*
 
+      - uses: actions/upload-artifact@v3
+        with: {name: dist, path: dist/}
+
+  pypi:
+    name: Upload to pypi.org
+    needs: build
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with: {name: dist}
       - uses: pypa/gh-action-pypi-publish@release/v1
-        if: startsWith(github.ref, 'refs/tags')
-        with:
-          user: coldfix-deploy
-          password: ${{ secrets.PYPI_PASSWORD }}
 
   docker:
-    name: hub.docker.com
+    name: Upload to hub.docker.com
     runs-on: ubuntu-latest
     steps:
       - uses: docker/setup-qemu-action@v3
@@ -70,7 +79,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/v')
 
   snap:
-    name: snapcraft.io
+    name: Upload to snapcraft.io
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4