Skip to content

Commit e5d2933

Browse files
authored
Merge pull request #38 from webknjaz/maintenance/pypi-secretless-publishing
📦 Enable secretless GHA publishing to (Test)PyPI
2 parents 483bddb + b832220 commit e5d2933

File tree

1 file changed

+45
-41
lines changed

1 file changed

+45
-41
lines changed

.github/workflows/ci-cd.yml

Lines changed: 45 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -758,61 +758,65 @@ jobs:
758758
}}
759759
jobs: ${{ toJSON(needs) }}
760760

761-
publish:
762-
name: Publish 🐍📦 to (Test)PyPI
761+
publish-pypi:
762+
name: Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }} to PyPI
763763
needs:
764764
- check
765765
- pre-setup # transitive, for accessing settings
766766
if: >-
767-
fromJSON(needs.pre-setup.outputs.is-untagged-devel) ||
768767
fromJSON(needs.pre-setup.outputs.release-requested)
769-
runs-on: ${{ matrix.os }}
770-
strategy:
771-
# NOTE: Even though it's one job, it's easier to keep the params in one
772-
# NOTE: place using a matrix:
773-
matrix:
774-
os:
775-
- ubuntu-latest
768+
runs-on: ubuntu-latest
776769

777-
steps:
778-
- name: Check out src from Git
779-
if: fromJSON(needs.pre-setup.outputs.release-requested)
780-
uses: actions/checkout@v3
781-
with:
782-
fetch-depth: 0
783-
- name: Setup git user as [bot]
784-
if: fromJSON(needs.pre-setup.outputs.release-requested)
785-
uses: fregante/setup-git-user@v1.1.0
770+
permissions:
771+
id-token: write # PyPI Trusted Publishing (OIDC)
786772

787-
- name: >-
788-
Tag the release in the local Git repo
789-
as ${{ needs.pre-setup.outputs.git-tag }}
790-
if: fromJSON(needs.pre-setup.outputs.release-requested)
791-
run: >-
792-
git tag '${{ needs.pre-setup.outputs.git-tag }}'
793-
${{ github.event.inputs.release-committish }}
773+
environment:
774+
name: pypi
775+
url: >-
776+
https://pypi.org/project/ansible-pygments/${{
777+
needs.pre-setup.outputs.dist-version
778+
}}
779+
780+
steps:
794781
- name: Download all the dists
795782
uses: actions/download-artifact@v3
796783
with:
797784
name: python-package-distributions
798785
path: dist/
799-
- name: Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }}to TestPyPI
800-
if: >-
801-
fromJSON(needs.pre-setup.outputs.is-untagged-devel) ||
802-
fromJSON(needs.pre-setup.outputs.release-requested)
786+
- name: >-
787+
Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }} to PyPI
803788
uses: pypa/gh-action-pypi-publish@release/v1
789+
790+
publish-testpypi:
791+
name: Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }} to TestPyPI
792+
needs:
793+
- check
794+
- pre-setup # transitive, for accessing settings
795+
if: >-
796+
fromJSON(needs.pre-setup.outputs.is-untagged-devel)
797+
|| fromJSON(needs.pre-setup.outputs.release-requested)
798+
runs-on: ubuntu-latest
799+
800+
permissions:
801+
id-token: write # PyPI Trusted Publishing (OIDC)
802+
803+
environment:
804+
name: testpypi
805+
url: >-
806+
https://test.pypi.org/project/ansible-pygments/${{
807+
needs.pre-setup.outputs.dist-version
808+
}}
809+
810+
steps:
811+
- name: Download all the dists
812+
uses: actions/download-artifact@v3
804813
with:
805-
password: ${{ secrets.TESTPYPI_API_TOKEN }}
806-
repository_url: https://test.pypi.org/legacy/
807-
- name: Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }} to PyPI
808-
if: fromJSON(needs.pre-setup.outputs.release-requested)
814+
name: python-package-distributions
815+
path: dist/
816+
- name: >-
817+
Publish 🐍📦 ${{ needs.pre-setup.outputs.git-tag }} to TestPyPI
809818
uses: pypa/gh-action-pypi-publish@release/v1
810819
with:
811-
password: ${{ secrets.PYPI_API_TOKEN }}
812-
- name: >-
813-
Push ${{ needs.pre-setup.outputs.git-tag }} tag corresponding
814-
to the just published release back to GitHub
815-
if: fromJSON(needs.pre-setup.outputs.release-requested)
816-
run: >-
817-
git push --atomic origin '${{ needs.pre-setup.outputs.git-tag }}'
820+
repository-url: https://test.pypi.org/legacy/
821+
818822
...

0 commit comments

Comments
 (0)