ci: publish via trusted-publishing

williballenthin · williballenthin · commit 1575f30b3c10 · 2025-05-02T10:07:37.000+02:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,31 +1,35 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-name: Upload Python Package
+# use PyPI trusted publishing, as described here:
+# https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
+name: publish to pypi
 
 on:
   release:
-    types: [created]
+    types: [published]
 
-jobs:
-  deploy:
+permissions:
+  contents: write
 
+jobs:
+  pypi-publish:
     runs-on: ubuntu-latest
-
+    environment:
+      name: release
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python setup.py sdist bdist_wheel
-        twine upload dist/*
+      - uses: actions/checkout@v2
+      - uses: astral-sh/setup-uv@v5
+      - name: install
+        run: uv sync --all-extras
+      - name: build package
+        run: uv run python -m build
+      - name: upload package artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          path: dist/*
+      - name: publish package
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
+        with:
+          skip-existing: true
+          verbose: true
+          print-hash: true
diff --git a/pyproject.toml b/pyproject.toml
@@ -72,3 +72,8 @@ length_sort = true
 
 [tool.ruff]
 line-length = 120
+
+[dependency-groups]
+build = [
+    "build>=1.2.2.post1",
+]
