CICD: Switch to trusted publisher based auth for releases to PyPi

ing-bank · May 13, 2024 · c11a0cf · c11a0cf
1 parent 2aee019
commit c11a0cf
Showing 1 changed file with 29 additions and 4 deletions.
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -104,11 +104,37 @@ jobs:
         name: artifact-macos-x86-64
         path: wheelhouse/*.whl
 
-  upload_all:
-    name: Upload if release
+  publish-to-testpypi:
+    name: Publish release on TestPyPi
     needs: [build_sdist, build_wheels, build_macos_intel]
     runs-on: ubuntu-latest
+    environment: testrelease
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+    - uses: actions/download-artifact@v4
+      with:
+        pattern: artifact-*
+        merge-multiple: true
+        path: dist
+
+    - uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        skip_existing: true
+
+  pypi-publish:
+    name: Publish release on PyPi
+    needs: [build_sdist, build_wheels, build_macos_intel, publish-to-testpypi]
+    runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    environment: release
+    permissions:
+      id-token: write
 
     steps:
     - uses: actions/setup-python@v5
@@ -123,5 +149,4 @@ jobs:
 
     - uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: ${{ secrets.PYPI_USER }}
-        password: ${{ secrets.PYPI_PASS }}
+        skip_existing: true