From 45cc111021c9e29d29dd9938f1d57a9cebfcfe4e Mon Sep 17 00:00:00 2001 From: Paul Natsuo Kishimoto Date: Sun, 30 Apr 2023 18:29:23 +0200 Subject: [PATCH 1/4] Gitignore .vscode --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d2e7bc2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +# Editors +.vscode From 3b8bd01ee91191c6bcf643503841010b8fb6c6b8 Mon Sep 17 00:00:00 2001 From: Paul Natsuo Kishimoto Date: Sun, 30 Apr 2023 18:29:53 +0200 Subject: [PATCH 2/4] Remove secrets usage from publish.yaml --- .github/workflows/publish.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 27b3712..13042b0 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -9,11 +9,6 @@ on: type: string required: false default: "3.x" - secrets: - PYPI_TOKEN: - required: true - TESTPYPI_TOKEN: - required: true jobs: publish: @@ -47,14 +42,9 @@ jobs: uses: pypa/gh-action-pypi-publish@release/v1 if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') with: - user: __token__ - password: ${{ secrets.TESTPYPI_TOKEN }} repository-url: https://test.pypi.org/legacy/ # Performed on a release event - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 if: github.event_name == 'release' - with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} From 0f9c857f030818f51279adf3cf28c1dcaba4ec44 Mon Sep 17 00:00:00 2001 From: Paul Natsuo Kishimoto Date: Sun, 30 Apr 2023 18:30:05 +0200 Subject: [PATCH 3/4] Document changes in publish.yaml --- README.rst | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 630559f..f5064d6 100644 --- a/README.rst +++ b/README.rst @@ -60,7 +60,7 @@ Lint and check Python code with black, flake8, isort, and mypy. Build Python package distributions; check with ``twine``, and publish to (Test)PyPI. - `Source `__ -- Usage example: +- Usage example (``main`` branch): .. code-block:: yaml @@ -81,3 +81,29 @@ Build Python package distributions; check with ``twine``, and publish to (Test)P secrets: PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} TESTPYPI_TOKEN: ${{ secrets.TESTPYPI_TOKEN }} + + This usage is **deprecated**: workflows using publish.yaml should switch to the ``pypi-trusted`` approach, below. + This version will be disabled and cease to work once all known user workflows have migrated. + +- The ``pypi-trusted`` branch contains an updated version of this workflow that uses PyPI's new (2023) `Trusted Publisher `__ integration. + This obviates the use of secrets, above. + To use this branch, specify on the ``uses:`` line. + + .. code-block:: yaml + + name: Build package / publish + + on: + pull_request: + branches: [ main ] # Package is built and checked + push: + branches: [ main ] # Package is built and checked + tags: [ "v*" ] # Package is pushed to TestPyPI + release: + types: [ published ] # Package is also pushed to PyPI + + jobs: + publish: + uses: iiasa/actions/.github/workflows/publish.yaml@pypi-trusted + permissions: + id-token: write From bcb6724ce231b56edef711b15db3d7650ea08da4 Mon Sep 17 00:00:00 2001 From: Paul Natsuo Kishimoto Date: Sun, 30 Apr 2023 19:29:32 +0200 Subject: [PATCH 4/4] Add and use environment: input to publish.yaml --- .github/workflows/publish.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 13042b0..d05753e 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -5,13 +5,21 @@ on: inputs: python-version: description: |- - Python version for the workflow, passed to actions/setup-python. + Python version for the workflow, passed to actions/setup-python. type: string required: false default: "3.x" + environment: + description: |- + Environment name to use in the workflow. + type: string + required: false + default: "publish" jobs: publish: + environment: ${{ inputs.environment }} + runs-on: ubuntu-latest steps: