Use PyPI OIDC

manics · Nov 10, 2023 · 669d298 · 669d298
1 parent c394adf
commit 669d298
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -70,7 +70,7 @@ jobs:
         run: |
           ./ci/build-and-test.sh
 
-  # https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
+  # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi
   publish-pypi:
     name: Pypi
     needs:
@@ -79,18 +79,24 @@ jobs:
       - build
       - test
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
+
       - uses: actions/setup-python@v4
+
       - name: Install pypa/build
         run: python -m pip install build
+
       - name: Build a binary wheel and a source tarball
         run: python -m build --sdist --wheel --outdir dist/
+
+      # Uses OIDC
       - name: Publish to PyPI
         if: startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@v1.8.10
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   container:
     name: Build container