Zero-configuration secretless publishing to PyPI

[webknjaz]

$sbj is now in private beta. My publishing action already supports it: from day one — https://github.com/marketplace/actions/pypi-publish#publishing-with-openid-connect.

Now that it's available, I'm going to gradually remove the secrets containing long-living PyPI API tokens and switching over to OIDC that acquires short-lived temporary upload tokens under the hood. This should also include removing the PyPI bot account access from said projects, which I forgot in a few places, originally.

These projects have already been migrated:

• aiohttp
• aiomonitor
• aiomysql
• async-lru
• frozenlist
• multidict
• yarl

cc @Nothing4You @jettify @Dreamsorcerer @mjpieters @aio-libs/admins

[Dreamsorcerer]

Just looking at setting up a new repo, is it the same configuration, but without the pypi_token option?

i.e.

    - name: Make Release
      uses: aio-libs/create-release@v1.6.6
      with:
        changes_file: CHANGES.rst
        name: project-name
        version_file: project_name/__init__.py
        github_token: ${{ secrets.GITHUB_TOKEN }}
        dist_dir: dist
        fix_issue_regex: "`#(\\d+) <https://github.com/aio-libs/project-name/issues/\\1>`"
        fix_issue_repl: "(#\\1)"

[Dreamsorcerer]

Sorry, not new, I've just been updating the CI for async-lru to match other repos. I don't see any secrets in the repo currently, though a release was pushed a few months ago.

[webknjaz]

@Dreamsorcerer it's currently impossible to set up secretless publishing in said project right now. I'm trying to reach out to @hellysmile through multiple channels to gain proper accesses and make it possible..

[mjpieters]

@webknjaz I think it's an issue with aio-libs/create-release actually.

The current implementation of that action expects a pypi password being set.

[webknjaz]

Yeah, that was my guess. The action is too coupled for my taste. Hopefully, we'll figure it out later.

[webknjaz]

It looks like skipping that PyPI password input makes it skip calling the pypi-publish action, giving us a chance of calling it outside properly. This worked for async-lru so I'm scaling it to other projects now (example: aio-libs/aiohttp#7359). One downside is that it still downloads and builds the docker container for that version, but that's probably fine for now.