maint: Use trusted publishing for pushinng to PyPI

oscarbenjamin · oscarbenjamin · commit 5012a3b954db · 2024-03-29T13:24:22.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,11 +7,14 @@ on:
       - master
 
 jobs:
-  release:
-    name: Release
+  tag-and-build:
+    name: Tag and build
     runs-on: ubuntu-latest
     permissions: write-all
 
+    outputs:
+      tag: ${{ steps.tag-step.outputs.tag }}
+
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4.1.1
@@ -48,29 +51,47 @@ jobs:
           version=$(hatch version) &&
           hatch version $version$(date +%s)
 
+      - name: Publish the release notes
+        uses: release-drafter/release-drafter@v6.0.0
+        with:
+          publish: ${{ steps.check-version.outputs.tag != '' }}
+          tag: ${{ steps.check-version.outputs.tag }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build package
         run: |
           hatch build
 
-      - name: Publish package on PyPI
-        if: steps.check-version.outputs.tag
-        uses: pypa/gh-action-pypi-publish@v1.8.12
+      - name: Store tag
+        id: tag-step
+        run: echo "tag=${{ steps.check-version.outputs.tag }}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@v4
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN }}
+          name: release-artifacts
+          path: dist/
+
+  pypi-publish:
+    name: Publish to PyPI
+    needs: [tag-and-build]
+    environment:
+      name: release
+      url: https://pypi.org/p/protosym
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+
+    steps:
+      - run: echo "Tag = ${{ needs.tag-and-build.outputs.tag }}"
+
+      - name: Publish package on PyPI
+        if: needs.tag-and-build.outputs.tag
+        uses: pypa/gh-action-pypi-publish@release/v1
 
       - name: Publish package on TestPyPI
-        if: "! steps.check-version.outputs.tag"
-        uses: pypa/gh-action-pypi-publish@v1.8.12
+        if: "! needs.tag-and-build.outputs.tag"
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
-
-      - name: Publish the release notes
-        uses: release-drafter/release-drafter@v6.0.0
-        with:
-          publish: ${{ steps.check-version.outputs.tag != '' }}
-          tag: ${{ steps.check-version.outputs.tag }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
