-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch deploy method to use trusted publisher #211
Comments
Three things need to happen:
I can make a PR for (2), but do not have access to do (1) and (3). Someone else will have to do those. |
jni
pushed a commit
that referenced
this issue
Jun 6, 2024
Closes #211 This PR switches to PyPI deployment with Trusted Publishing (see [the announcement](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/) and [how trusted publishing works](https://docs.pypi.org/trusted-publishers/internals/)). It removes twine, and also removes the need for PyPI API tokens being used as github secrets. This PR is not sufficient on its own, someone else also needs to: * [Add a trusted publisher to our existing PyPI project](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) (or you can [create a new PyPI project with a trusted publisher](https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/)). * Delete the old PyPI API tokens, from both PyPI and the GitHub repository secrets settings.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now we have a trusted publisher configured on PyPI but our deploy workflow still uses
twine
and its secret token to upload new releases.We should update the workflow file to remove the use of
twine
in favour of thepypa/gh-action-pypi-publish@release
action as described here.The text was updated successfully, but these errors were encountered: