Merge pull request #15 from dnv-opensource/14-change-the-publishing-w…

…orkflow-to-use-openid-connect-trusted-publisher-management-when-publishing-to-pypi Changed publishing workflow to use OpenID Connect
dnv-opensource · Feb 27, 2024 · 949ab1a · 949ab1a
2 parents 4ca3462 + 5f34aa0
commit 949ab1a
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 72 deletions.
diff --git a/.github/workflows/_publish_package.yml b/.github/workflows/_publish_package.yml
@@ -1,22 +1,17 @@
-name: Publish Package to pypi
-
-on:
-  workflow_call:
-    secrets:
-      PYPI_API_TOKEN:
-        required: true
-
-jobs:
-  publish:
-    name: Publish package
-    runs-on: ubuntu-latest
-    environment: pypi
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: artifact
-          path: ./dist/
-      - uses: pypa/[email protected]
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+name: Publish Package to pypi
+
+on: workflow_call
+
+jobs:
+  publish:
+    name: Publish package
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: ./dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/_publish_package_test.yml b/.github/workflows/_publish_package_test.yml
@@ -1,23 +1,19 @@
-name: Publish Package to testpypi
-
-on:
-  workflow_call:
-    secrets:
-      TEST_PYPI_API_TOKEN:
-        required: true
-
-jobs:
-  publish:
-    name: Publish package
-    runs-on: ubuntu-latest
-    environment: test_pypi
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: artifact
-          path: ./dist/
-      - uses: pypa/[email protected]
-        with:
-          repository-url: https://test.pypi.org/legacy/
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
+name: Publish Package to testpypi
+
+on: workflow_call
+
+jobs:
+  publish:
+    name: Publish package
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: ./dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
@@ -1,27 +1,23 @@
-name: Publish Release
-run-name: Publish Release ${{ github.event.ref }} created by @${{ github.actor }}
-
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  build_package:
-    uses: ./.github/workflows/_build_package.yml
-  publish_package:
-    needs:
-      - build_package
-    uses: ./.github/workflows/_publish_package.yml
-    secrets:
-      PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
-  # publish_package_test:
-  #   needs:
-  #     - build_package
-  #   uses: ./.github/workflows/_publish_package_test.yml
-  #   secrets:
-  #     TEST_PYPI_API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}
-  merge_into_release:
-    uses: ./.github/workflows/_merge_into_release.yml
-    secrets:
-      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+name: Publish Release
+run-name: Publish Release ${{ github.event.ref }} created by @${{ github.actor }}
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  build_package:
+    uses: ./.github/workflows/_build_package.yml
+  publish_package:
+    needs:
+      - build_package
+    uses: ./.github/workflows/_publish_package.yml
+  # publish_package_test:
+  #   needs:
+  #     - build_package
+  #   uses: ./.github/workflows/_publish_package_test.yml
+  merge_into_release:
+    uses: ./.github/workflows/_merge_into_release.yml
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}