CI: use trusted publisher for PyPi publishing

naveen521kk · naveen521kk · commit cb832bc4390e · 2024-09-14T19:14:40.000+05:30
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -151,96 +151,69 @@ jobs:
         run: |
           bash packing/test_wheels.sh $(pwd)
 
-  publish_wheels:
-    needs: [test_wheels_mac, test_wheels_win]
-    name: Upload wheels
-    runs-on: ubuntu-latest
-    if: github.event_name== 'release'
-    steps:
-      - name: Setup Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: "3.9"
-
-      - uses: actions/download-artifact@v3
-        with:
-          path: downloads/
-
-      - name: Publish release
-        if: github.event_name == 'release'
-        shell: bash
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-        run: |
-          mkdir -p wheelhouse/
-          find downloads/ -name \*.whl -exec cp {} wheelhouse \;
-          pip install twine
-          twine upload wheelhouse/*.whl
-
   build_sdist:
     name: Source distribution
     runs-on: ubuntu-latest
-    if: github.event_name== 'release'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: "3.8"
+          python-version: "3.11"
 
-      - name: Build Source Distribution
-        if: ${{  github.event_name== 'release' && runner.os == 'Linux' }}
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+      - name: Install dependencies
         run: |
           sudo apt install libcairo2-dev pkg-config python3-dev
           sudo apt-get install libpango1.0-dev
-          pip install twine
-          python setup.py sdist
-          twine upload dist/*
+          python -m pip install --upgrade build
+
+      - name: Build sdist
+        run: python -m build --sdist
+      
+      - name: Test sdist
+        run: |
+          python -m pip install dist/*.tar.gz
 
       - name: Store artifacts
         uses: actions/upload-artifact@v3
         with:
           path: dist/*.tar.gz
-          name: manimpango.tar.gz
-      - name: Install Dependency
-        run: pip install requests
-      - name: Get Upload URL
-        id: create_release
-        shell: python
-        env:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
-          tag_act: ${{ github.ref }}
+          name: manimpango-src
+
+  publish:
+    needs: [test_wheels_mac, test_wheels_win, build_sdist]
+    name: Upload wheels to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+      url: https://pypi.org/p/ManimPango
+    permissions:
+      id-token: write
+      contents: write
+    if: github.event_name== 'release'
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          path: downloads/
+
+      - name: Move files to dist
         run: |
-          import requests
-          import os
-          ref_tag = os.getenv('tag_act').split('/')[-1]
-          access_token = os.getenv('access_token')
-          headers = {
-              "Accept":"application/vnd.github.v3+json",
-              "Authorization": f"token {access_token}"
-          }
-          url = f"https://api.github.com/repos/ManimCommunity/manimpango/releases/tags/{ref_tag}"
-          c = requests.get(url,headers=headers)
-          upload_url=c.json()['upload_url']
-          with open(os.environ.get("GITHUB_OUTPUT"), "w") as f:
-              print(f"upload_url={upload_url}", file=f)
-              print(f"tag_name={ref_tag[1:]}", file=f)
-      - name: Upload Release Asset
-        id: upload-release
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          mkdir -p dist/
+          find downloads/ -name \*.whl -exec cp {} dist \;
+          find downloads/ -name \*.tar.gz -exec cp {} dist \;
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
         with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: dist/ManimPango-${{ steps.create_release.outputs.tag_name }}.tar.gz
-          asset_name: ManimPango-${{ steps.create_release.outputs.tag_name }}.tar.gz
-          asset_content_type: application/gzip
+          fail_on_unmatched_files: false
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
 
   success:
     needs: [test_wheels_win, test_wheels_mac]
