Merge pull request #111 from ssciwr/pypi-trusted-publishing

Switch to PyPI trusted publishing
ssciwr · Jan 8, 2024 · adf962d · adf962d
2 parents 83a407c + c1b7430
commit adf962d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 10 deletions.
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/pypi.yml b/{{cookiecutter.project_slug}}/.github/workflows/pypi.yml
@@ -30,22 +30,24 @@ jobs:
   upload_testpypi:
     needs: [build-wheels]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     if: github.event_name == 'release' && github.event.action == 'published'
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: artifact
           path: dist
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@v1
         with:
-          user: __token__
-          password: ${{ "{{ secrets.TESTPYPI_API_TOKEN }}" }}
           repository_url: https://test.pypi.org/legacy/
 
   upload_pypi:
     needs: [build-wheels, upload_testpypi]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     if: github.event_name == 'release' && github.event.action == 'published'
     steps:
       - uses: actions/download-artifact@v3
@@ -54,7 +56,3 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ "{{ secrets.PYPI_API_TOKEN }}" }}
-          verbose: true
diff --git a/{{cookiecutter.project_slug}}/TODO.md b/{{cookiecutter.project_slug}}/TODO.md
@@ -47,9 +47,14 @@ The following tasks need to be done to get a fully working project:
   about your project, such as your email adress, PyPI classifiers and a short project description.
 {%- endif %}
 {%- if cookiecutter.pypi_release == "Yes" %}
-* Add the secret variables `TESTPYPI_API_TOKEN` and `PYPI_API_TOKEN` to your GitHub project.
-  These variables can be generated by heading to `https://test.pypi.org/` and `https://pypi.org`,
-  adding a new project and generating these tokens.
+* Head to your user settings at `https://pypi.org` and `https://test.pypi.org/` to setup PyPI trusted publishing.
+  In order to do so, you have to head to the "Publishing" tab, scroll to the bottom
+  and add a "new pending publisher". The relevant information is:
+  * PyPI project name: `{{ cookiecutter|modname }}`
+  * Owner: `{{ cookiecutter|username }}`
+  * Repository name: `{{ cookiecutter|remote_slug }}`
+  * Workflow name: `pypi.yml`
+  * Environment name: not required
 {%- endif %}
 {%- if cookiecutter.codecovio == "Yes" %}
 * Enable the integration with `codecov.io` by heading to the [Codecov.io Website](https://codecov.io),