feat[ci]: update pypi release pipeline to use OIDC

OIDC is pypi's current recommended best practice (see below). this commit modifies the pypi release pipeline to use the Trusted Publisher mechanism. it has already been configured on the PyPI side. references: - https://docs.pypi.org/trusted-publishers/
charles-cooper · Apr 5, 2024 · 3c8240f · 3c8240f
1 parent 63b8d1d
commit 3c8240f
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/.github/workflows/publish.yml → .github/workflows/release-pypi.yml b/.github/workflows/publish.yml → .github/workflows/release-pypi.yml
@@ -1,5 +1,5 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+# upload to pypi using the pypa publish action
+# https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
 
 name: Publish to PyPI
 
@@ -8,13 +8,19 @@ on:
     types: [published]  # releases and pre-releases (release candidates)
 
 jobs:
-
-  deploy:
+  publish-pypi:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
 
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    environment: release
+
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
     - name: Python
       uses: actions/setup-python@v5
       with:
@@ -29,7 +35,4 @@ jobs:
       run: python setup.py sdist bdist_wheel
 
     - name: Publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: twine upload dist/*
+      uses: pypa/gh-action-pypi-publish@release/v1