You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To get GitHub actions publishing to PyPI and TestPyPI, we had to create API tokens for each project and add them as Secrets to the respective repositories. These tokens are a bit dangerous if they leak since they give publishing rights. A better approach is the new Trusted Publishers in PyPI. Basically, admins can configure PyPI to exchange tokens with an Action running on a particular repo. Then we don't need the API tokens.
On PyPI and TestPyPI, go to the package configuration, then "Publishing" and add our repository as a trusted publisher. Set the "environment" to "pypi".
On the repository, edit the publish job of pypi.yml to look like this:
publish:
runs-on: ubuntu-latest
needs: build
# Only publish from the origin repository, not forks
if: github.repository_owner == 'fatiando' && github.event_name != 'pull_request'
environment: pypi
permissions:
# This permission allows trusted publishing to PyPI (without an API token)
id-token: write
Remove the following from the steps that use the PyPI Action:
Start by opening Pull Requests on each repository listed above.
Optionally, we can open Issues on each repository if further discussion specific to that repository is needed.
Mention this Issue on every Issue or Pull Request opened on each opened: Related to fatiando/community#XX
Check-off the repository on the list above once the Pull Request is merged.
Close this issue when all items are checked-off.
We want your help!
We know that maintenance tasks are very demanding, so we don't expect a single person to tackle this issue by themselves. Any help is very welcomed, so please comment below that you want to take care of the changes on any repository and we will assign it to you.
The text was updated successfully, but these errors were encountered:
Description:
To get GitHub actions publishing to PyPI and TestPyPI, we had to create API tokens for each project and add them as Secrets to the respective repositories. These tokens are a bit dangerous if they leak since they give publishing rights. A better approach is the new Trusted Publishers in PyPI. Basically, admins can configure PyPI to exchange tokens with an Action running on a particular repo. Then we don't need the API tokens.
To do this:
publishjob ofpypi.ymlto look like this:Apply to:
Further instructions:
Related to fatiando/community#XXWe want your help!
We know that maintenance tasks are very demanding, so we don't expect a single person to tackle this issue by themselves. Any help is very welcomed, so please comment below that you want to take care of the changes on any repository and we will assign it to you.
The text was updated successfully, but these errors were encountered: