Skip to content

Publish to TestPyPI and PyPI via OpenID Connect token #2453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 23, 2023
Merged

Publish to TestPyPI and PyPI via OpenID Connect token #2453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
14057fc
Publish to TestPyPI and PyPI via OpenID Connect token
weiji14 Mar 22, 2023
d01ea6b
Add note that workflow must be named publish-to-pypi
weiji14 Mar 23, 2023
f78a3eb
Add note about OIDC publishing to doc/maintenance.md
weiji14 Mar 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/publish-to-pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
# Publish archives to PyPI and TestPyPI using GitHub Actions
# Important: this workflow filename must be publish-to-pypi.yml to match the
# settings in PyPI and TestPyPI so that OIDC publishing works

name: Publish to PyPI

Expand All @@ -19,6 +21,9 @@ jobs:
publish-pypi:
name: Publish to PyPI
runs-on: ubuntu-latest
permissions:
# This permission is mandatory for OIDC publishing
id-token: write
if: github.repository == 'GenericMappingTools/pygmt'

steps:
Expand Down Expand Up @@ -53,13 +58,10 @@ jobs:
ls -lh dist/

- name: Publish to Test PyPI
uses: pypa/[email protected].1
uses: pypa/[email protected].3
with:
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
repository-url: https://test.pypi.org/legacy/

- name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags')
uses: pypa/[email protected]
with:
password: ${{ secrets.PYPI_API_TOKEN }}
uses: pypa/[email protected]
10 changes: 6 additions & 4 deletions doc/maintenance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,13 @@ There are 11 configuration files located in `.github/workflows`:
If new remote files are needed urgently, maintainers can manually uncomment
the 'pull_request:' line in that `cache_data.yaml` file to refresh the cache.

6. `publish-to-pypi.yml` (Publish wheels to PyPI and TestPyPI)
6. `publish-to-pypi.yml` (Publish wheels to TestPyPI and PyPI)

This workflow is run to publish wheels to PyPI and TestPyPI (for testing only).
Archives will be pushed to TestPyPI on every commit to the *main* branch
and tagged releases, and to PyPI for tagged releases only.
This workflow is ran to publish wheels to TestPyPI (for testing only) and
PyPI. Archives will be pushed to TestPyPI on every commit to the *main*
branch and tagged releases, and to PyPI for tagged releases only. Note that
authentication to TestPyPI/PyPI is done via OpenID Connect, see also
https://github.com/pypa/gh-action-pypi-publish/tree/release/v1#publishing-with-openid-connect

7. `release-drafter.yml` (Drafts the next release notes)

Expand Down