ci: switch to trusted publishing for pypi

rotki · Dec 13, 2024 · 583da4e · 583da4e
1 parent 756f3fa
commit 583da4e
Showing 1 changed file with 20 additions and 8 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -41,6 +41,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Build OpenSSL
         run: |
           BASEDIR=$(pwd)
@@ -102,6 +103,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -114,7 +116,9 @@ jobs:
       - name: prepare build directory
         run: ./scripts/prepare.sh
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
+        env:
+          CIBW_VERSION: ${{ env.CIBW_VERSION }}
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -137,6 +141,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -152,7 +157,9 @@ jobs:
         env:
           CIBW_ARCHS_LINUX: ${{ matrix.arch }}
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
+        env:
+          CIBW_VERSION: ${{ env.CIBW_VERSION }}
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -171,6 +178,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -179,7 +187,9 @@ jobs:
       - name: prepare build directory
         run: ./scripts/prepare.ps1
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
+        env:
+          CIBW_VERSION: ${{ env.CIBW_VERSION }}
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -201,6 +211,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -223,6 +234,9 @@ jobs:
     runs-on: ubuntu-20.04
     if: github.event_name == 'push' && !(startsWith(github.ref, 'refs/tags/v'))
     environment: test-pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -232,8 +246,6 @@ jobs:
 
       - uses: pypa/gh-action-pypi-publish@v1.10.3
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
 
@@ -243,6 +255,9 @@ jobs:
     runs-on: ubuntu-20.04
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     environment: pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -251,6 +266,3 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@v1.10.3
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}