Publish to TestPyPI and PyPI via OpenID Connect token

[weiji14]

Description of proposed changes

Using a short-lived API token generated by OpenID Connect (OIDC) instead of a long-lived secret to publish packages to TestPyPI and PyPI.

I've set up the OIDC publisher at both TestPyPI and PyPI under the publishing settings like so:

To be super sure, I've also tested this on my own project at weiji14/zen3geo#90. See the publish-to-pypi workflow run using OIDC at https://github.com/weiji14/zen3geo/actions/runs/4495219924/jobs/7908620558#step:8:21, and the package that was successfully uploaded at https://test.pypi.org/project/zen3geo/0.5.1.dev19.

References:

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
• https://test.pypi.org/help/#openid-connect
• https://github.com/pypa/gh-action-pypi-publish/tree/v1.8.3#ipublishing-with-openid-connect
• Closed beta for OIDC publishing pypi/warehouse#12965
• https://github.com/pypi/pypi-oidc-private-beta-community

Xref #2451 (comment)

Reminders

• Run make format and make check to make sure the code follows the style guide.
• Add tests for new features or tests that would have caught the bug that you're fixing.
• Add new public functions/methods/classes to doc/api/index.rst.
• Write detailed docstrings for all functions/methods.
• If wrapping a new module, open a 'Wrap new GMT module' issue and submit reasonably-sized PRs.
• If adding new functionality, add an example to docstrings or tutorials.
• Use underscores (not hyphens) in names of Python files and directories.

Slash Commands

You can write slash commands (/command) in the first line of a comment to perform
specific operations. Supported slash commands are:

• /format: automatically format and lint the code
• /test-gmt-dev: run full tests on the latest GMT development version

[seisman]

Looks good to me. Perhaps we should add a note that "the workflow file name must be publish-to-pypi.yml to match the settings in PyPI" at the beginning of the workflow file.

Also need to remove these API tokens from the GitHub secrets.

[weiji14]

Looks good to me. Perhaps we should add a note that "the workflow file name must be publish-to-pypi.yml to match the settings in PyPI" at the beginning of the workflow file.

Ok, I've added the note at commit d01ea6b. Also mentioned the OpenID Connect (OIDC) authentication to TestPyPI/PyPI in doc/maintenance.md

Also need to remove these API tokens from the GitHub secrets.

Yes, will do this after this PR is merged and we've checked that uploading to TestPyPI works. Will also need to remove the API tokens from TestPyPI and PyPI.

[weiji14]

Also need to remove these API tokens from the GitHub secrets.

Yes, will do this after this PR is merged and we've checked that uploading to TestPyPI works. Will also need to remove the API tokens from TestPyPI and PyPI.

Ok, upload to TestPyPI was successful at https://test.pypi.org/project/pygmt/0.8.1.dev115/! See logs at https://github.com/GenericMappingTools/pygmt/actions/runs/4498503524/jobs/7915200866#step:8:20. This is how it looks like on TestPyPI.

I've also removed the PYPI_API_TOKEN and TEST_PYPI_API_TOKEN from GitHub secrets and TestPyPI/PyPI (which apparently were under my PyPI account since #900 (comment) 😂).