# 🔒 Securely Publish Your Packages to PyPI and Automate Workflows in GitHub

This guide outlines how to generate, store, and use secrets like API tokens in your GitHub repository to securely publish your packages to PyPI and automate workflows.


## 📋 Overview

To securely publish your packages to PyPI and automate workflows in GitHub, you need to store secrets like API tokens in your GitHub repository. This guide outlines how to generate, store, and use these secrets.


## ✅ Prerequisites

1. GitHub account with repository permissions.
2. PyPI account with API token permissions.


## 🛠️ Step 1: Generate a PyPI API Token

1. **Log in to PyPI**:
   - Go to [https://pypi.org/](https://pypi.org/) and log in to your account.


2. **Navigate to Account Settings**:
   - Click on your profile icon and select "Account settings."


3. **Create a New API Token**:

   - Scroll to the **API tokens** section and select "Add API token."
   - Assign the token a name, e.g., `GitHub_Actions`.
   - Choose **scope**:
     - **Entire account**: Access all projects.
     - **Specific project**: Access a single project (recommended for security).

   ![create-api-token](./figs/pypi_key.png)


4. **Copy the Token**:

   - After generating, copy the token **immediately** as it will not be shown again.

   ![copy-api-token](./figs/keys.png)


## 🔒 Step 2: Store the PyPI Token in GitHub Secrets

1. **Go to Your GitHub Repository**:
   - Open your repository on [GitHub](https://github.com/).


2. **Access Settings**:
   - Click on "Settings" in your repository.


3. **Navigate to Environment**:

   - Create a new Environment called `pypi` and add the following secrets:
     - `PYPI_TOKEN`: The API token you generated in Step 1.

   ![add-secrets](./figs/pypi_secret.png)


## 🔑 Step 3: Generate a GitHub Access Token

1. **Go to GitHub Developer Settings**:
   - In GitHub, navigate to your profile > **Settings** > **Developer settings** > **Personal access tokens** > **Tokens (classic)**.


2. **Generate a New Token**:
   - Click on **Generate new token** and provide a name (e.g., `GitHub Actions`).
   - **Select Expiration**: Choose a duration for the token's validity (e.g., 90 days or no expiration).
   - **Select Permissions**:
     - For most use cases, the following permissions are sufficient:
       - **repo**: Full control of private repositories.
       - **workflow**: Update GitHub Actions workflows.
       - **write:packages**: Upload packages to GitHub Packages.
       - **delete:packages**: Delete packages from GitHub Packages (optional).
   - **Generate Token**: Click **Generate token** at the top.
   - **Set Permissions**: You can select the permissions you need for your token, you need at a minimum the following permissions:
     - **repo**: Full control of private repositories.
     - **workflow**: Update GitHub Actions workflows.
     - **write:packages**: Upload packages to GitHub Packages.


3. **Copy the Token**:
   - Copy the token **immediately** as it will not be shown again.


## 🔐 Step 4: Store the GitHub Access Token as a GitHub Secret

1. **Navigate to GitHub Repository Settings**:
   - Go back to **Settings** in your repository.


2. **Add a New Secret**:
   - Go to **Settings** > Environment > Add Environment Secret
   - **Name**: Use `GH_TOKEN`.
   - **Value**: Paste the GitHub Access Token you generated.
   - Click **Add secret** to save.
