PyPI Trusted Publishers.

This commit refactors our GitHub Actions release workflow away from its prior usage of antiquated (and unsurprisingly insecure) tokens to PyPI-specific "Trusted Publishers" (i.e., PyPI's modern implementation of OpenID Connect (OIDC)). In theory, doing so *should* resolve the current plethora of "Unverified details" that currently pollutes @beartype's PyPI project page. In practice, doing so will almost certainly change nothing and thus have no benefit whatsoever. Indeed, doing so will probably prevent our entire release workflow from behaving as expected – further squandering scarce open-source volunteerism for no particularly good reason whatsoever. Bureaucracy: "What is it good for when @leycec could just be playing video games about robot assassins who insist they mean well instead?" (*Parsimonious persimmons on a jumpin' juniper!*)
beartype · Jun 13, 2024 · e67e975 · e67e975
1 parent c451c9e
commit e67e975
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 10 deletions.
diff --git a/.github/workflows/python_release.yml b/.github/workflows/python_release.yml
@@ -53,7 +53,7 @@ jobs:
       - name: "Publishing GitHub release..."
         uses: 'ncipollo/release-action@v1'
         with:
-          name: "beartype ${{ github.ref }}"
+          name: "Beartype ${{ github.ref }}"
           body: ${{ github.event.commits[0].message }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -64,6 +64,29 @@ jobs:
     name: "Publish tagged release to PyPI"
     runs-on: ubuntu-latest
 
+    # GitHub Environment associated with this job.
+    #
+    # Note that PyPI strongly recommends use of a GitHub Environment as an
+    # additional security precaution for GitHub repositories that grant push
+    # access to different users with differing permissions. So, basically *ALL*
+    # GitHub repositories is what we are saying. See also:
+    # * "Publishing to PyPI with a Trusted Publisher."
+    #   https://docs.pypi.org/trusted-publishers
+    # * "Using environments for deployment."
+    #   https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment
+    environment:
+      # Arbitrary name of this environment.
+      name: bear_den
+
+      # Arbitrary URL associated with this environment.
+      url: https://pypi.org/project/beartype
+
+    # Enable the "write" permission as required for PyPI Trusted Publishing.
+    # See also:
+    #     https://github.com/pypa/gh-action-pypi-publish
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
     # Perform this job *ONLY* if the prior job succeeded.
     needs: release
 
@@ -81,19 +104,24 @@ jobs:
           set -xe
           python -VV
           python -m site
-          python -m pip --quiet install --upgrade pip setuptools wheel
-      - name: 'Installing package dependencies...'
-        run: |
-          python -m pip --quiet install --upgrade twine
+          python -m pip --quiet install --upgrade pip hatch wheel
+
+      #FIXME: Pretty sure that "twine" is no longer required. *shrug*
+      # - name: 'Installing package dependencies...'
+      #   run: |
+      #     python -m pip --quiet install --upgrade twine
+
       - name: "Creating source tarball and binary wheel..."
         run: |
           set -xe
-          python setup.py sdist bdist_wheel
+          hatch build -t sdist -t wheel
       - name: "Publishing PyPI release from tag..."
         uses: 'pypa/gh-action-pypi-publish@release/v1'
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+        #FIXME: This should no longer be required. See also:
+        #    https://github.com/pypa/gh-action-pypi-publish
+        # with:
+        #   user: __token__
+        #   password: ${{ secrets.PYPI_API_TOKEN }}
 
       #FIXME: Enable after integrating this "pypi" job into the "release" job
       #above. In theory, this should be trivial. Let's test this later, eh?

diff --git a/pyproject.toml b/pyproject.toml
@@ -41,7 +41,7 @@ name = "beartype"
 # * Prefix each newline in this string with a continuation character, which then
 #   forces line wrapping.
 description = """\
-Unbearably fast runtime type-checking in pure Python.
+Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python.
 """
 
 # Relative filename of the top-level file describing project licensing.