diff --git a/.github/workflows/tagPublish.yml b/.github/workflows/tagPublish.yml index 29ec3ad..4fd30fa 100644 --- a/.github/workflows/tagPublish.yml +++ b/.github/workflows/tagPublish.yml @@ -24,6 +24,9 @@ jobs: wheel: name: python${{ matrix.python-version }}-${{ matrix.platform.python-architecture }} ${{ matrix.platform.os }} runs-on: ${{ matrix.platform.os }} + permissions: + id-token: write + contents: write strategy: matrix: python-version: ['3.7', '3.8', '3.9', '3.10', '3.11'] @@ -66,11 +69,29 @@ jobs: - name: build source id: build_source run: python -u .github/workflows/build_source.py + - name: mint API token + id: mint-token + shell: bash + # Reference link : https://docs.pypi.org/trusted-publishers/using-a-publisher/ + run: | + # retrieve the ambient OIDC token + resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi") + oidc_token=$(jq '.value' <<< "${resp}") + # exchange the OIDC token for an API token + resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": ${oidc_token}}") + api_token=$(jq -r '.token' <<< "${resp}") + + # mask the newly minted API token, so that we don't accidentally leak it + echo "::add-mask::${api_token}" + + # see the next step in the workflow for an example of using this step output + echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}" - name: Publish to pypi env: # the username and the repository needs to be changed before release. - TWINE_USERNAME: ${{ secrets.pypi_user_name }} - TWINE_PASSWORD: ${{ secrets.pypi_password }} + TWINE_USERNAME: __token__ + TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }} TWINE_REPOSITORY: pypi run: | pip install -U twine