Merge pull request #631 from maresb/pypi-oidc

Update GHA release workflow to use trusted publishing / OIDC
conda · May 2, 2024 · 6a262cd · 6a262cd
2 parents 403c66d + 80a9dc5
commit 6a262cd
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,7 +8,7 @@ on:
     branches: [master, main]
 
 jobs:
-  packages:
+  build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
@@ -35,9 +35,24 @@ jobs:
         python -m twine check dist/*
       shell: bash
 
+    - name: Upload dist files for publication
+      uses: actions/upload-artifact@v2
+      with:
+        name: dist-files
+        path: dist
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    # Run this job in an isolated GHA environment containing the OIDC credentials.
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/download-artifact@v2
+      with:
+        name: dist-files
+        path: dist
     - name: Publish a Python distribution to PyPI
       if: ${{ github.event_name == 'release' }}
       uses: pypa/gh-action-pypi-publish@v1.8.14
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}