From 58b50fe5e956b2ae4ae2b5a870d09454f9fab0b4 Mon Sep 17 00:00:00 2001 From: "M.P. Korstanje" Date: Thu, 14 Nov 2024 23:05:18 +0100 Subject: [PATCH] Python: Replace publish action Replaces `cucumber/action-publish-pypi` with `pypa/gh-action-pypi-publish@release/v1`. The motivation for using actions in the cucumber org is to ensure that we do not hand release tokens to untrusted code. As the party publishing our python packages, the Python Package Authority can be trusted. Additionally, their action uses trusted publishers which authorizes GitHub with OIDC so no long-lived tokens are used. --- .github/workflows/release-pypi.yaml | 10 +++++++--- .github/workflows/test-python.yml | 6 ++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-pypi.yaml b/.github/workflows/release-pypi.yaml index 9b562cb6a..3bb95d6a3 100644 --- a/.github/workflows/release-pypi.yaml +++ b/.github/workflows/release-pypi.yaml @@ -26,6 +26,10 @@ jobs: - name: Show Python version run: python --version - - uses: cucumber/action-publish-pypi@v3.0.0 - with: - working-directory: "python" + - name: Install Python package dependencies + run: | + python -m pip install build twine + python -m build + twine check --strict dist/* + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index 76db6ecff..c21b15be7 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -50,9 +50,11 @@ jobs: run: python --version - name: Install Python package dependencies run: | - python -m pip install -U pip setuptools wheel - pip install -U -r requirements.txt + python -m pip install build twine pip setuptools wheel + pip install -r requirements.txt pip install -e . + python -m build + twine check --strict dist/* - name: Run tests run: pytest