From 6983e58b9b66a6d79c436801c23f6f4bf25d5120 Mon Sep 17 00:00:00 2001
From: Adrien Mannocci <adrien.mannocci@elastic.co>
Date: Mon, 10 Jul 2023 12:48:28 +0200
Subject: [PATCH 1/3] ci: use trusted publisher instead of token auth

Signed-off-by: Adrien Mannocci <adrien.mannocci@elastic.co>
---
 .github/workflows/release-trusted.yml | 35 +++++++++++++++++++++++++++
 setup.cfg                             |  2 +-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/release-trusted.yml

diff --git a/.github/workflows/release-trusted.yml b/.github/workflows/release-trusted.yml
new file mode 100644
index 000000000..8e19ab23a
--- /dev/null
+++ b/.github/workflows/release-trusted.yml
@@ -0,0 +1,35 @@
+name: release
+
+on:
+  push:
+    branches:
+      - "feat/trusted-publisher"
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
+  packages:
+    uses: ./.github/workflows/packages.yml
+
+  publish-pypi:
+    needs:
+      - test
+      - packages
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
+        with:
+          name: packages
+          path: dist
+      - name: Upload
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
diff --git a/setup.cfg b/setup.cfg
index 4508e0416..b076b870a 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -3,7 +3,7 @@ universal=1
 
 [metadata]
 license_file = LICENSE
-name = elastic-apm
+name = elastic-apm-ci
 url = https://github.com/elastic/apm-agent-python
 author = Elastic, Inc
 description = The official Python module for Elastic APM

From b0c4f22d5fbc117b9d9d5e750156899c691f097e Mon Sep 17 00:00:00 2001
From: Adrien Mannocci <adrien.mannocci@elastic.co>
Date: Mon, 10 Jul 2023 14:52:36 +0200
Subject: [PATCH 2/3] ci: backport changes to release workflow

Signed-off-by: Adrien Mannocci <adrien.mannocci@elastic.co>
---
 .github/workflows/release-trusted.yml | 35 ---------------------------
 .github/workflows/release.yml         | 33 ++++++++-----------------
 setup.cfg                             |  2 +-
 3 files changed, 11 insertions(+), 59 deletions(-)
 delete mode 100644 .github/workflows/release-trusted.yml

diff --git a/.github/workflows/release-trusted.yml b/.github/workflows/release-trusted.yml
deleted file mode 100644
index 8e19ab23a..000000000
--- a/.github/workflows/release-trusted.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: release
-
-on:
-  push:
-    branches:
-      - "feat/trusted-publisher"
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    uses: ./.github/workflows/test.yml
-
-  packages:
-    uses: ./.github/workflows/packages.yml
-
-  publish-pypi:
-    needs:
-      - test
-      - packages
-    runs-on: ubuntu-latest
-    environment: release
-    permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
-        with:
-          name: packages
-          path: dist
-      - name: Upload
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fed2c00c5..03a77ce47 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,32 +20,19 @@ jobs:
       - test
       - packages
     runs-on: ubuntu-latest
-    env:
-      PYPI_SECRET_PATH: secret/apm-team/ci/apm-agent-python-pypi-prod
+    environment: release
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - uses: actions/checkout@v3
-      - uses: hashicorp/vault-action@v2.4.2
-        with:
-          url: ${{ secrets.VAULT_ADDR }}
-          method: approle
-          roleId: ${{ secrets.VAULT_ROLE_ID }}
-          secretId: ${{ secrets.VAULT_SECRET_ID }}
-          secrets: |
-            ${{ env.PYPI_SECRET_PATH }} user | TWINE_USER ;
-            ${{ env.PYPI_SECRET_PATH }} password | TWINE_PASSWORD
       - uses: actions/download-artifact@v3
         with:
           name: packages
           path: dist
       - name: Upload
-        run: |
-          python -m pip install --user twine
-          python setup.py sdist
-          echo "Uploading to ${REPO_URL} with user ${TWINE_USER}"
-          python -m twine upload --username "${TWINE_USER}" --password "${TWINE_PASSWORD}" --skip-existing --repository-url ${REPO_URL} dist/*.tar.gz
-          python -m twine upload --username "${TWINE_USER}" --password "${TWINE_PASSWORD}" --skip-existing --repository-url ${REPO_URL} dist/*.whl
-        env:
-          REPO_URL: "https://upload.pypi.org/legacy/"
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0
+        with:
+          repository-url: https://upload.pypi.org/legacy/
 
   build-distribution:
     uses: ./.github/workflows/build-distribution.yml
@@ -56,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: hashicorp/vault-action@v2.5.0
+      - uses: hashicorp/vault-action@v2.7.2
         with:
           url: ${{ secrets.VAULT_ADDR }}
           method: approle
@@ -74,7 +61,7 @@ jobs:
           # Convert v1.2.3 to ver-1-2-3
           VERSION=${GITHUB_REF_NAME/v/ver-}
           VERSION=${VERSION//./-}
-        
+
           ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
       - uses: actions/upload-artifact@v3
         with:
@@ -113,7 +100,7 @@ jobs:
           .
       - name: Docker retag
         run: >-
-          docker tag 
+          docker tag
           ${{ steps.setup-docker.outputs.name }}:${{ steps.setup-docker.outputs.tag }}
           ${{ steps.setup-docker.outputs.name }}:latest
       - name: Docker push
@@ -133,7 +120,7 @@ jobs:
         with:
           name: arn-file
       - name: Create GitHub Draft Release
-        run: >- 
+        run: >-
           gh release create "${GITHUB_REF_NAME}"
           --title="${GITHUB_REF_NAME}"
           --generate-notes
diff --git a/setup.cfg b/setup.cfg
index b076b870a..4508e0416 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -3,7 +3,7 @@ universal=1
 
 [metadata]
 license_file = LICENSE
-name = elastic-apm-ci
+name = elastic-apm
 url = https://github.com/elastic/apm-agent-python
 author = Elastic, Inc
 description = The official Python module for Elastic APM

From fed88ec110fd052aec592cdb1e3da807b6aa48cb Mon Sep 17 00:00:00 2001
From: Adrien Mannocci <adrien.mannocci@elastic.co>
Date: Tue, 11 Jul 2023 16:37:02 +0200
Subject: [PATCH 3/3] ci: build also source distribution

Signed-off-by: Adrien Mannocci <adrien.mannocci@elastic.co>
---
 .github/workflows/packages.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml
index 27f4da4f7..148110c7f 100644
--- a/.github/workflows/packages.yml
+++ b/.github/workflows/packages.yml
@@ -25,6 +25,8 @@ jobs:
         run: pip install --user wheel
       - name: Building universal wheel
         run: python setup.py bdist_wheel
+      - name: Building source distribution
+        run: python setup.py sdist
       - name: Upload Packages
         uses: actions/upload-artifact@v3
         with: