From 1c62fe6ba2f4a1a68a461e4307ffbf4299aff0ea Mon Sep 17 00:00:00 2001
From: Aaron Bacchi <abacchi@labelbox.com>
Date: Thu, 22 Feb 2024 11:36:16 -0600
Subject: [PATCH] Securing GHA Publish to pypi

---
 .github/workflows/publish.yaml | 65 +++++++++++++++++++---------------
 1 file changed, 36 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f5313a83f..f666569e5 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -4,39 +4,46 @@ name: Publish Python Package
 
 on:
   release:
-    types: [created, updated]
+    types: [created]
 
 jobs:
-  deploy:
-
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-python@v3
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install setuptools wheel
+
+      - name: Build
+        run: |
+          python setup.py sdist bdist_wheel
+      
+      - uses: actions/upload-artifact@v3
+        with:
+            path: ./dist
+
+  pypi-publish:   
+    needs: ['build']
+    environment: 
+      name: publish
+      url: 'https://pypi.org/project/labelbox/'
     runs-on: ubuntu-latest
-
     permissions:
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
-
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: '3.x'
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-
-    - name: Build
-      run: |
-        python setup.py sdist bdist_wheel
-
-    # - name: Publish
-    #   env:
-    #     TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-    #     TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-    #   run: |
-    #     twine upload dist/*
-    - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
\ No newline at end of file
+      - uses: actions/download-artifact@v3
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: artifact/
+
+# Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job.