From 8cef3fab48d70431bc014d0c5e8242bb859be54a Mon Sep 17 00:00:00 2001
From: sjquant <seonujang92@gmail.com>
Date: Mon, 11 Mar 2024 22:27:45 +0900
Subject: [PATCH] =?UTF-8?q?=F0=9F=92=9A=20Fix=20ci?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/publish.yaml | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 0801ea6..cb79a46 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -8,6 +8,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -32,7 +35,7 @@ jobs:
           VERSION="v$(poetry version -s)"
           echo "Current version: $VERSION"
 
-          LATEST_RELEASE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+          LATEST_RELEASE=$(curl -s -H "Authorization: token ${{ github.token }}" \
             https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r '.tag_name')
           echo "Latest release version: $LATEST_RELEASE"
 
@@ -47,13 +50,31 @@ jobs:
 
       - name: Create Release
         if: steps.version_check.outputs.version_changed == 'true'
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.version_check.outputs.new_version }}
           generate_release_notes: True
+      
+      - name: mint API token
+        id: mint-token
+        run: |
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+          oidc_token=$(jq -r '.value' <<< "${resp}")
+
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          api_token=$(jq -r '.token' <<< "${resp}")
+
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
+
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
 
       - name: Build and publish to PyPI
         if: steps.version_check.outputs.version_changed == 'true'
         run: |
           poetry build
-          poetry publish
\ No newline at end of file
+          poetry publish -u __token__ -p ${{ steps.mint-token.outputs.api-token }}
\ No newline at end of file