Switch to using PyPI trusted publishing (#45)

wagtail · Jan 8, 2024 · 7192e1a · 7192e1a
1 parent 420c755
commit 7192e1a
Showing 1 changed file with 24 additions and 12 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -6,12 +6,11 @@ on:
   release:
     types: [published]
 
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
 jobs:
   build_and_publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # to fetch code (actions/checkout)
     steps:
       - uses: actions/checkout@v4
         with:
@@ -35,16 +34,29 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install flit
-          python -m flit install --symlink
+          python -Im pip install --upgrade pip
+          python -Im pip install flit
+          python -Im flit install --symlink
 
       - name: Build
-        run: python -m flit build
+        run: python -Im flit build
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: ./dist
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: none
+      id-token: write # required for trusted publishing
+    environment: publish
+    steps:
+      - uses: actions/download-artifact@v3
 
       - name: Publish to PyPI
-        env:
-          FLIT_USERNAME: '__token__'
-          FLIT_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-          FLIT_INDEX_URL: https://upload.pypi.org/legacy/
-        run: python -m flit publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: artifact/
+          print-hash: true