feat[ci]: update pypi release pipeline to use OIDC (#3912)

OIDC is pypi's current recommended best practice (see below). this commit modifies the pypi release pipeline to use the Trusted Publisher mechanism. it has already been configured on the PyPI side. references: - https://docs.pypi.org/trusted-publishers/
vyperlang · Apr 6, 2024 · 7485cea · 7485cea
1 parent 63b8d1d
commit 7485cea
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 35 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
@@ -0,0 +1,38 @@
+# upload to pypi using the pypa publish action
+# https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]  # releases and pre-releases (release candidates)
+
+jobs:
+  publish-pypi:
+    runs-on: ubuntu-latest
+
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    environment: release
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.11"
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install setuptools wheel twine
+
+    - name: Build
+      run: python setup.py sdist bdist_wheel
+
+    - name: Publish
+      uses: pypa/gh-action-pypi-publish@release/v1