From 3a3da5ef65d6d6936726c87881a0aacdc01861f2 Mon Sep 17 00:00:00 2001
From: Ralph Urlus <rurlus.dev@gmail.com>
Date: Thu, 11 Apr 2024 09:57:21 +0200
Subject: [PATCH] CICD: Switch to trusted publisher based auth for releases to
 PyPi

---
 .github/workflows/wheels.yml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
index bef4c3b..176503d 100644
--- a/.github/workflows/wheels.yml
+++ b/.github/workflows/wheels.yml
@@ -157,11 +157,38 @@ jobs:
         name: artifact-macos-x86-64
         path: wheelhouse/*.whl
 
-  upload_all:
-    name: Upload if release
+  publish-to-testpypi:
+    name: Publish release on TestPyPi
     needs: [build_sdist, build_wheels, build_macos_intel]
     runs-on: ubuntu-latest
+    if: github.repository_owner != 'ing-bank'  # prevent forks from running this step
+    environment: testrelease
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+    - uses: actions/download-artifact@v4
+      with:
+        pattern: artifact-*
+        merge-multiple: true
+        path: dist
+
+    - uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
+
+  pypi-publish:
+    name: Publish release on PyPi
+    needs: [build_sdist, build_wheels, build_macos_intel, publish-to-testpypi]
+    runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    environment: release
+    permissions:
+      id-token: write
 
     steps:
     - uses: actions/setup-python@v5
@@ -176,5 +203,4 @@ jobs:
 
     - uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: ${{ secrets.PYPI_USER }}
-        password: ${{ secrets.PYPI_PASS }}
+        skip-existing: true