 Set up secretless publishing to PyPI (#860)

aio-libs · Jul 9, 2023 · d70391b · d70391b
1 parent 455b14e
commit d70391b
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml → .github/workflows/ci-cd.yml b/.github/workflows/ci.yml → .github/workflows/ci-cd.yml
@@ -202,9 +202,17 @@ jobs:
 
  deploy:
  name: Deploy
- environment: release
  needs: [build-tarball, build-wheels]
  runs-on: ubuntu-latest
+
+ permissions:
+ contents: write # IMPORTANT: mandatory for making GitHub Releases
+ id-token: write # IMPORTANT: mandatory for trusted publishing & sigstore
+
+ environment:
+ name: pypi
+ url: https://pypi.org/p/multidict
+
  steps:
  - name: Checkout
  uses: actions/checkout@v3
@@ -220,7 +228,27 @@ jobs:
  name: multidict
  version_file: multidict/__init__.py
  github_token: ${{ secrets.GITHUB_TOKEN }}
- pypi_token: ${{ secrets.PYPI_API_TOKEN }}
  artifact: dist
  fix_issue_regex: ":issue:`(\\d+)`"
  fix_issue_repl: "(#\\1)"
+
+ - name: >-
+ Publish 🐍📦 to PyPI
+ uses: pypa/gh-action-pypi-publish@release/v1
+
+ - name: Sign the dists with Sigstore
+ uses: sigstore/gh-action-sigstore-python@v1.2.3
+ with:
+ inputs: >-
+ ./dist/*.tar.gz
+ ./dist/*.whl
+
+ - name: Upload artifact signatures to GitHub Release
+ # Confusingly, this action also supports updating releases, not
+ # just creating them. This is what we want here, since we've manually
+ # created the release above.
+ uses: softprops/action-gh-release@v1
+ with:
+ # dist/ contains the built packages, which smoketest-artifacts/
+ # contains the signatures and certificates.
+ files: dist/**