Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch deploy method to use trusted publisher #211

Closed
DragaDoncila opened this issue Apr 16, 2024 · 1 comment · Fixed by #212
Closed

Switch deploy method to use trusted publisher #211

DragaDoncila opened this issue Apr 16, 2024 · 1 comment · Fixed by #212

Comments

@DragaDoncila
Copy link

Right now we have a trusted publisher configured on PyPI but our deploy workflow still uses twine and its secret token to upload new releases.

We should update the workflow file to remove the use of twine in favour of the pypa/gh-action-pypi-publish@release action as described here.
@GenevieveBuckley GenevieveBuckley mentioned this issue May 23, 2024
Open
@GenevieveBuckley
Copy link
Contributor

Three things need to happen:

  1. Add a trusted publisher to our existing PyPI project (or you can create a new PyPI project with a trusted publisher).
  2. Merge a PR updating .github/workflows/release_drafter.yml. The deploy job needs to be given id-token: write permissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).
  3. Delete the old PyPI API tokens, from both PyPI and the GitHub repository secrets settings.

I can make a PR for (2), but do not have access to do (1) and (3). Someone else will have to do those.

@GenevieveBuckley GenevieveBuckley mentioned this issue May 23, 2024
Merged
@jni jni closed this as completed in #212 Jun 6, 2024
jni pushed a commit that referenced this issue Jun 6, 2024
@GenevieveBuckley
Switch to PyPI Trusted Publishing, and remove twine (#212)
ba8ab53 
Closes #211

This PR switches to PyPI deployment with Trusted Publishing (see [the
announcement](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/)
and [how trusted publishing
works](https://docs.pypi.org/trusted-publishers/internals/)). It removes
twine, and also removes the need for PyPI API tokens being used as
github secrets.

This PR is not sufficient on its own, someone else also needs to:
* [Add a trusted publisher to our existing PyPI
project](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
(or you can [create a new PyPI project with a trusted
publisher](https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/)).
* Delete the old PyPI API tokens, from both PyPI and the GitHub
repository secrets settings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch to PyPI Trusted Publishing, and remove twine GenevieveBuckley/napari-animation
2 participants
@DragaDoncila @GenevieveBuckley