From 75976361fa6b6dc889b14bd3fb6539cad5d7bff3 Mon Sep 17 00:00:00 2001
From: John Sirois <john.sirois@gmail.com>
Date: Thu, 20 Apr 2023 22:42:12 -0700
Subject: [PATCH] Convert PyPI publishing to OIDC.

I've already configured the publisher on PyPI as described here:
  https://docs.pypi.org/trusted-publishers/adding-a-publisher/

This change addresses the GitHub side of things as described here:
  https://docs.pypi.org/trusted-publishers/using-a-publisher/

I'll delete the PYPI_USERNAME and PYPI_PASSWORD secrets after a
successful release using this new system.

Prep work for #2121
---
 .github/workflows/release.yml | 22 +++++++++++++---------
 scripts/package.py            | 27 +++++++++++++++++----------
 2 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d6bc65321..a14e2e806 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,14 +12,14 @@ jobs:
   org-check:
     name: Check GitHub Organization
     if: ${{ github.repository_owner == 'pantsbuild' }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Noop
         run: "true"
   determine-tag:
     name: Determine the release tag to operate against.
     needs: org-check
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     outputs:
       release-tag: ${{ steps.determine-tag.outputs.release-tag }}
       release-version: ${{ steps.determine-tag.outputs.release-version }}
@@ -42,8 +42,10 @@ jobs:
   pypi:
     name: Publish sdist and wheel to PyPI
     needs: determine-tag
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: Release
+    permissions:
+      id-token: write
     steps:
       - name: Checkout Pex ${{ needs.determine-tag.outputs.release-tag }}
         uses: actions/checkout@v3
@@ -53,17 +55,19 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: "3.11"
-      - name: Publish Pex ${{ needs.determine-tag.outputs.release-tag }}
+      - name: Build sdist and wheel
         uses: pantsbuild/actions/run-tox@e63d2d0e3c339bdffbe5e51e7c39550e3bc527bb
-        env:
-          FLIT_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          FLIT_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
         with:
-          tox-env: publish
+          tox-env: package -- --no-pex --additional-format sdist --additional-format wheel
+      - name: Publish Pex ${{ needs.determine-tag.outputs.release-tag }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true
+          verbose: true
   github-release:
     name: Create Github Release
     needs: determine-tag
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: Release
     steps:
       - name: Checkout Pex ${{ needs.determine-tag.outputs.release-tag }}
diff --git a/scripts/package.py b/scripts/package.py
index 16d454588..6622eea6b 100755
--- a/scripts/package.py
+++ b/scripts/package.py
@@ -9,7 +9,7 @@
 from enum import Enum, unique
 from http.server import HTTPServer, SimpleHTTPRequestHandler
 from pathlib import Path, PurePath
-from typing import Tuple, cast
+from typing import Optional, Tuple, cast
 
 PROJECT_METADATA = Path("pyproject.toml")
 DIST_DIR = Path("dist")
@@ -99,18 +99,19 @@ def build_pex_dists(dist_fmt: Format, *additional_dist_fmts: Format, verbose: bo
 def main(
     *additional_dist_formats: Format,
     verbosity: int = 0,
-    pex_output_file: Path = DIST_DIR / "pex",
+    pex_output_file: Optional[Path] = DIST_DIR / "pex",
     local: bool = False,
     serve: bool = False
 ) -> None:
-    print(f"Building Pex PEX to `{pex_output_file}` ...")
-    build_pex_pex(pex_output_file, local, verbosity)
+    if pex_output_file:
+        print(f"Building Pex PEX to `{pex_output_file}` ...")
+        build_pex_pex(pex_output_file, local, verbosity)
 
-    git_rev = describe_git_rev()
-    sha256, size = describe_file(pex_output_file)
-    print(f"Built Pex PEX @ {git_rev}:")
-    print(f"sha256: {sha256}")
-    print(f"  size: {size}")
+        git_rev = describe_git_rev()
+        sha256, size = describe_file(pex_output_file)
+        print(f"Built Pex PEX @ {git_rev}:")
+        print(f"sha256: {sha256}")
+        print(f"  size: {size}")
 
     if additional_dist_formats:
         print(
@@ -156,6 +157,12 @@ def main(
         action="append",
         help="Package Pex in additional formats.",
     )
+    parser.add_argument(
+        "--no-pex",
+        default=False,
+        action="store_true",
+        help="Build Pex PEX with just a single local interpreter.",
+    )
     parser.add_argument(
         "--pex-output-file",
         default=DIST_DIR / "pex",
@@ -179,7 +186,7 @@ def main(
     main(
         *(args.additional_formats or ()),
         verbosity=args.verbosity,
-        pex_output_file=args.pex_output_file,
+        pex_output_file=None if args.no_pex else args.pex_output_file,
         local=args.local,
         serve=args.serve
     )