build(release): publish to PyPI (& testPyPI), using trusted publisher

Having specified a "trusted publisher" (the repository and GHA workflow), no tokens and secrets are necessary. BREAKING: Bump to v1.0.0
computational-psychology · May 22, 2023 · 51b0d0e · 51b0d0e
1 parent db12dda
commit 51b0d0e
Showing 1 changed file with 33 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   test_publish:
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing to PyPI
+      id-token: write
 
     steps:
       - name: Fetch wheel(s) from release
@@ -26,8 +29,6 @@ jobs:
       - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
 
       - name: Test install from TestPyPI
@@ -37,3 +38,33 @@ jobs:
           --extra-index-url https://pypi.org/simple \
           stimupy
 
+  publish:
+    needs: test_publish
+    runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing to PyPI
+      id-token: write
+
+    steps:
+      - name: Fetch wheel(s) from release
+        uses: dsaltares/fetch-gh-release-asset@1.1.0
+        with:
+          regex: true
+          file: 'stimupy-.[0-9]*\.[0-9]*\.[0-9]*-py3-none-any\.whl'
+          target: 'dist/'
+
+      - name: Fetch sdist(s) from release
+        uses: dsaltares/fetch-gh-release-asset@1.1.0
+        with:
+          regex: true
+          file: 'stimupy-.[0-9]*\.[0-9]*\.[0-9]*\.tar.gz'
+          target: 'dist/'
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      - name: Test install from PyPI
+        run: |
+          pip install \
+          --index-url https://pypi.org/simple/ \
+          stimupy