Commit7be09e5

authored

chore(ci): use OIDC trusted publishing for pypi.org (#2559)

* chore(ci): use OIDC trusted publishing for pypi.org* chore(ci): explicitly install setuptools in tests

1 parenta2b8c8c commit7be09e5Copy full SHA for 7be09e5

File tree

+17

-1

lines changed

+17

-1

lines changed

Lines changed: 15 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,13 +9,27 @@ jobs:`
`9`	`9`	`release:`
`10`	`10`	`if:github.repository == 'python-gitlab/python-gitlab'`
`11`	`11`	`runs-on:ubuntu-latest`
	`12`	`+permissions:`
	`13`	`+id-token:write`
	`14`	`+environment:pypi.org`
`12`	`15`	`steps:`
`13`	`16`	`-uses:actions/checkout@v3.5.0`
`14`	`17`	`with:`
`15`	`18`	`fetch-depth:0`
`16`	`19`	`token:${{ secrets.RELEASE_GITHUB_TOKEN }}`
	`20`	`+ -name:mint API token`
	`21`	`+id:mint-token`
	`22`	`+run:\|`
	`23`	`+ resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")`
	`24`	`+ oidc_token=$(jq '.value' <<< "${resp}")`
	`25`	`+`
	`26`	`+ resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\":${oidc_token}}")`
	`27`	`+ api_token=$(jq '.token' <<< "${resp}" \| tr -d '"')`
	`28`	`+`
	`29`	`+ echo "::add-mask::${api_token}"`
	`30`	`+ echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"`
`17`	`31`	`-name:Python Semantic Release`
`18`	`32`	`uses:relekang/python-semantic-release@v7.33.2`
`19`	`33`	`with:`
`20`	`34`	`github_token:${{ secrets.RELEASE_GITHUB_TOKEN }}`
`21`		`-pypi_token:${{secrets.PYPI_TOKEN }}`
	`35`	`+pypi_token:${{steps.mint-token.outputs.api-token }}`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,3 +7,5 @@ pytest-github-actions-annotate-failures==0.1.8`
`7`	`7`	`pytest==7.2.2`
`8`	`8`	`PyYaml==5.4.1`
`9`	`9`	`responses==0.23.1`
	`10`	`+setuptools==67.7.2`
	`11`	`+wheel==0.40.0`

Comments

(0)