support PyPI trusted publishers

README.md

@@ -42,6 +42,7 @@ Other features (supported by both) include:
 
 - Supports checking built files
 - Supports skipping existing uploads
+- Supports OIDC PyPI trusted publishing
 
 ## Inputs
 
@@ -54,7 +55,11 @@ inputs:
     default: __token__
   password:
     description: PyPI password or API token
-    required: true
+    required: false
+  registry_domain:
+    description: PyPI trusted publisher URL
+    required: false
+    default: https://upload.pypi.org
   requirements:
     description: Packages to `pip install` before building
     default: twine wheel build

action.yml

@@ -8,7 +8,11 @@ inputs:
     default: __token__
   password:
     description: PyPI password or API token
-    required: true
+    required: false
+  registry_domain:
+    description: PyPI trusted publisher URL
+    required: false
+    default: https://upload.pypi.org
   requirements:
     description: Packages to `pip install` before building
     required: false
@@ -121,6 +125,12 @@ runs:
             TWINE_OPTS="$TWINE_OPTS --skip-existing"
           fi
           python -m pip install twine
+          if [[ -z "$TWINE_PASSWORD" ]]; then
+            # vis https://docs.pypi.org/trusted-publishers/using-a-publisher/#the-manual-way
+            oidc_token=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi" | jq -r '.value')
+            export TWINE_PASSWORD=$(curl https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}" | jq -r '.token')
+            echo "::add-mask::$TWINE_PASSWORD"
+          fi
           python -m twine upload $TWINE_OPTS "${DIST}"/*
         fi
         pushd "$DIST"
@@ -138,6 +148,7 @@ runs:
         TWINE_REPOSITORY_URL: ${{ inputs.url }}
         TWINE_USERNAME: ${{ inputs.user }}
         TWINE_PASSWORD: ${{ inputs.password }}
+        INPUT_REGISTRY_DOMAIN: ${{ inputs.registry_domain }}
 branding:
   icon: upload-cloud
   color: blue