github actions: pypi-release use trusted publisher

jcmgray · May 8, 2024 · ce6091e · ce6091e
1 parent fcd5062
commit ce6091e
Showing 1 changed file with 38 additions and 15 deletions.
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -12,23 +12,25 @@ jobs:
  runs-on: ubuntu-latest
  if: github.repository == 'jcmgray/cotengra'
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  with:
  fetch-depth: 0
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
  name: Install Python
  with:
- python-version: 3.8
+ python-version: "3.12"
 
  - name: Install dependencies
  run: |
  python -m pip install --upgrade pip
  python -m pip install build twine
+
  - name: Build tarball and wheels
  run: |
  git clean -xdf
  git restore -SW .
  python -m build
+
  - name: Check built artifacts
  run: |
  python -m twine check --strict dist/*
@@ -39,7 +41,7 @@ jobs:
  else
  echo "✅ Looks good"
  fi
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
  with:
  name: releases
  path: dist
@@ -48,29 +50,45 @@ jobs:
  needs: build-artifacts
  runs-on: ubuntu-latest
  steps:
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
  name: Install Python
  with:
- python-version: 3.8
- - uses: actions/download-artifact@v3
+ python-version: "3.12"
+ - uses: actions/download-artifact@v4
  with:
  name: releases
  path: dist
  - name: List contents of built dist
  run: |
  ls -ltrh
  ls -ltrh dist
+
  - name: Verify the built dist/wheel is valid
  if: github.event_name == 'push'
  run: |
  python -m pip install --upgrade pip
  python -m pip install dist/cotengra*.whl
+
+ upload-to-test-pypi:
+ needs: test-built-dist
+ if: github.event_name == 'push'
+ runs-on: ubuntu-latest
+
+ environment:
+ name: pypi
+ url: https://test.pypi.org/p/cotengra
+ permissions:
+ id-token: write
+
+ steps:
+ - uses: actions/download-artifact@v4
+ with:
+ name: releases
+ path: dist
  - name: Publish package to TestPyPI
  if: github.event_name == 'push'
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses: pypa/gh-action-pypi-publish@v1.8.14
  with:
- user: __token__
- password: ${{ secrets.TESTPYPI_TOKEN }}
  repository-url: https://test.pypi.org/legacy/
  verbose: true
 
@@ -79,14 +97,19 @@ jobs:
  needs: test-built-dist
  if: github.event_name == 'release'
  runs-on: ubuntu-latest
+
+ environment:
+ name: pypi
+ url: https://pypi.org/p/cotengra
+ permissions:
+ id-token: write
+
  steps:
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@v4
  with:
  name: releases
  path: dist
  - name: Publish package to PyPI
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses: pypa/gh-action-pypi-publish@v1.8.14
  with:
- user: __token__
- password: ${{ secrets.PYPI_TOKEN }}
- verbose: true
+ verbose: true