From 1fa629960aba68b43a1c0b93aaa38ff0db6c1315 Mon Sep 17 00:00:00 2001
From: "Ch.-David Blot" <charles-david.blot@outscale.com>
Date: Wed, 24 Sep 2025 09:21:57 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=20ci:=20Add=20new=20feature=20for?=
 =?UTF-8?q?=20trusted=20publisher?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/scripts/release-pr.sh               |  2 +-
 .github/workflows/build.yml                 |  4 ++--
 .github/workflows/code-check-identified.yml |  4 ++--
 .github/workflows/code-check.yml            |  6 +++---
 .github/workflows/codeql.yml                | 12 +++++++-----
 .github/workflows/cred-scan.yml             | 11 +++++++----
 .github/workflows/github-sanity-scan.yml    |  9 ++++++---
 .github/workflows/publish.yml               | 18 +++++++++++-------
 Makefile                                    |  4 ----
 scripts/upload_package.sh                   | 20 --------------------
 10 files changed, 39 insertions(+), 51 deletions(-)
 delete mode 100755 scripts/upload_package.sh

diff --git a/.github/scripts/release-pr.sh b/.github/scripts/release-pr.sh
index e1b1089..6848814 100755
--- a/.github/scripts/release-pr.sh
+++ b/.github/scripts/release-pr.sh
@@ -19,7 +19,7 @@ major=$(echo $new_sdk_version | cut -d '.' -f 1)
 branch_name="autobuild-$new_sdk_version"
 
 # https://docs.github.com/en/free-pro-team@latest/rest/reference/pulls#create-a-pull-request
-result=$(curl -s -X POST -H "Authorization: token $GH_TOKEN" -d "{\"head\":\"$branch_name\",\"base\":\"master\",\"title\":\"SDK v$new_sdk_version\",\"body\":\"Automatic build of SDK v$new_sdk_version version based on Outscale API $osc_api_version\"}" "https://api.github.com/repos/outscale/osc-sdk-python/pulls")
+result=$(curl -s -X POST -H "Authorization: token $GH_TOKEN" -d "{\"head\":\"$branch_name\",\"base\":\"main\",\"title\":\"SDK v$new_sdk_version\",\"body\":\"Automatic build of SDK v$new_sdk_version version based on Outscale API $osc_api_version\"}" "https://api.github.com/repos/outscale/osc-sdk-python/pulls")
 
 errors=$(echo $result | jq .errors)
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b92fde1..1b72e13 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,9 +9,9 @@ on:
 jobs:
   auto-build:
     environment: auto-build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: ⬇️ Install Python
       uses: actions/setup-python@v5
       with:
diff --git a/.github/workflows/code-check-identified.yml b/.github/workflows/code-check-identified.yml
index c724919..e4b355b 100644
--- a/.github/workflows/code-check-identified.yml
+++ b/.github/workflows/code-check-identified.yml
@@ -3,7 +3,7 @@ name: Code check On outscale
 on:
   pull_request:
     branches:
-      - master
+      - main
 
 permissions:
   pull-requests: write
@@ -20,7 +20,7 @@ jobs:
         secret_key: ${{ secrets.OSC_SECRET_KEY }}
         region: ${{ secrets.OSC_REGION }}
     - name: ⬇️ Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: ⬇️ Import Outscale API description
       run: make init
     - name: ⬇️ Install Python
diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml
index 371590c..59a2a99 100644
--- a/.github/workflows/code-check.yml
+++ b/.github/workflows/code-check.yml
@@ -3,13 +3,13 @@ name: Code check Local
 on:
   pull_request:
     branches:
-      - master
+      - main
 
 jobs:
   code-check:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Import Outscale API description
       run: make init
     - name: Install Python
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 246ee6b..c2f7c14 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,11 +2,11 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "main" ]
   pull_request:
-    branches: [ "master" ]
+    branches: [ "main" ]
   schedule:
-    - cron: "33 13 * * 5"
+    - cron: "37 13 * * 5"
 
 jobs:
   analyze:
@@ -20,11 +20,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ python ]
+        include:
+          - language: python
+          - language: actions
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
diff --git a/.github/workflows/cred-scan.yml b/.github/workflows/cred-scan.yml
index 1240c5e..8b8a6f9 100644
--- a/.github/workflows/cred-scan.yml
+++ b/.github/workflows/cred-scan.yml
@@ -2,14 +2,17 @@ name: Credential Scanner
 
 on:
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
+
+permissions:
+  contents: read
 
 jobs:
   cred-scan:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Scan credentials
-      uses: outscale-dev/cred-scan@main
+      uses: outscale/cred-scan@main
       with:
         scan_path: "./"
diff --git a/.github/workflows/github-sanity-scan.yml b/.github/workflows/github-sanity-scan.yml
index d9c4453..5df1fb9 100644
--- a/.github/workflows/github-sanity-scan.yml
+++ b/.github/workflows/github-sanity-scan.yml
@@ -2,13 +2,16 @@ name: Github sanity scanner
 
 on:
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
+
+permissions:
+  contents: read
 
 jobs:
   github-sanity-scan:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Github sanity scanner
       uses: outscale/github-sanity-scan@main
       with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 22c9ea4..495f314 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,21 +1,25 @@
 name: osc-sdk-python pip publishing
+
 on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
-  publish:
+  build:
+    runs-on: ubuntu-24.04
     environment: publish
-    runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: '3.x'
     - name: Initialize submodules
       run: make init
-    - name: Build & Push packages
-      run: make upload-package
-      env:
-        PIP_TOKEN: ${{ secrets.PIP_TOKEN }}
+    - name: Build packages
+      run: make package
+    - uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/Makefile b/Makefile
index 6d8bea2..1c352e4 100644
--- a/Makefile
+++ b/Makefile
@@ -31,10 +31,6 @@ test-int: .venv/ok init
 package: .venv/ok init
 	@./scripts/package.sh
 
-.PHONY: upload-package
-upload-package: package
-	@./scripts/upload_package.sh
-
 .PHONY: osc-api-update
 osc-api-update:
 	cd osc_sdk_python/osc-api/; git fetch; git checkout origin/master; cd ..; git add osc-api
diff --git a/scripts/upload_package.sh b/scripts/upload_package.sh
deleted file mode 100755
index 18b6dc1..0000000
--- a/scripts/upload_package.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-set -e
-
-# Assuming you are running this from a prepared virtual environment
-PROJECT_ROOT=$(cd "$(dirname $0)/.." && pwd)
-cd $PROJECT_ROOT
-
-echo -n "$(basename $0): "
-
-if [ -z "$PIP_TOKEN" ]; then
-    echo "PIP_TOKEN is missing, abort."
-    exit 1
-fi
-
-. .venv/bin/activate > /dev/null
-python3 -m pip install --upgrade twine
-export TWINE_USERNAME="__token__"
-export TWINE_PASSWORD=$PIP_TOKEN
-python3 -m twine upload --skip-existing --non-interactive dist/*
-echo "OK"