build: trusted publishing

nedbat · nedbat · commit 86a9d30fc446 · 2026-04-04T16:32:13.000-04:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,68 @@
+# Licensed under the Apache License: http://www.apache.org/licenses/LICENSE-2.0
+# For details: https://github.com/coveragepy/django_coverage_plugin/blob/main/NOTICE.txt
+
+name: "Publish"
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  build_package:
+    name: "Build"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Check out the repo"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Set up Python"
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.14"
+
+      - name: "Install dependencies"
+        run: |
+          python -m pip install .[dev]
+
+      - name: "Build dists"
+        run: |
+          python -m build --sdist --wheel
+          python -m twine check dist/*
+
+      - name: "Upload dists"
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: dists
+          path: dist/*
+          retention-days: 7
+
+  publish_package:
+    name: "Publish"
+    needs: build_package
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      deployment: false
+    permissions:
+      id-token: write # needed for publishing to PyPI
+
+    steps:
+      - name: "Download artifacts"
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dists
+          path: dist/
+
+      - name: "Publish to PyPI"
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/Makefile b/Makefile
@@ -30,12 +30,6 @@ dist:					## Make the source distribution.
 	python -m build
 	python -m twine check dist/*
 
-pypi:					## Upload the built distributions to PyPI.
-	python -m twine upload --verbose dist/*
-
-test_pypi:				## Upload the distributions to test PyPI.
-	python -m twine upload --verbose --repository testpypi --password $$TWINE_TEST_PASSWORD dist/*
-
 _install_e:
 	python -m pip install -q -e .
 
diff --git a/README.rst b/README.rst
@@ -169,6 +169,8 @@ Gibbons (`pull 108`_).
 
 Dropped Django 3.x and 4.x.
 
+Switched to trusted publishing.
+
 .. _issue 74: https://github.com/coveragepy/django_coverage_plugin/issues/74
 .. _pull 108: https://github.com/coveragepy/django_coverage_plugin/pull/108
 
diff --git a/howto.txt b/howto.txt
@@ -3,14 +3,9 @@
 - Version number in __init__.py
 - Classifiers in pyproject.toml
     https://pypi.python.org/pypi?%3Aaction=list_classifiers
-    eg:
-      Development Status :: 3 - Alpha
-      Development Status :: 5 - Production/Stable
 - Copyright date in NOTICE.txt
 - Update README.rst with latest changes
 - Kits:
-    $ make clean dist
-    $ make test_pypi
-    $ make pypi
     $ make tag
+    # .github/workflows/publish.yml publishes with trusted publishing
     $ make ghrelease
