Using trusted publishing for PyPI

ghislainv · Dec 19, 2023 · aade7f6 · aade7f6
1 parent 9b8b0ed
commit aade7f6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - master
+      - dev
   pull_request:
 
 jobs:

diff --git a/.github/workflows/wheel-pypi.yml b/.github/workflows/wheel-pypi.yml
@@ -62,31 +62,36 @@ jobs:
     name: Upload to PyPI
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/forestatrisk
+    permissions:
+      id-token: write  # Mandatory for trusted publishing.
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact
           path: dist
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
 
   upload_testpypi:
     # Upload to TestPyPI for dev branch
     if: github.ref == 'refs/heads/dev'
     name: Upload to TestPyPI
     needs: [build_wheels, build_sdist]
     runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/forestatrisk
+    permissions:
+      id-token: write  # Mandatory for trusted publishing.
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact
           path: dist
       - uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.testpypi_password }}
           repository-url: https://test.pypi.org/legacy/
 
 # End