Merge pull request #77 from canonical/work/trusted-publishing

upils · web-flow · commit 20c78b5575b2 · 2025-03-07T15:25:12.000+01:00
ci: use Trusted Publishing for PyPI releases
diff --git a/.github/workflows/release-publish.yaml b/.github/workflows/release-publish.yaml
@@ -36,17 +36,21 @@ jobs:
           path: dist/
   pypi:
     needs: ["source-wheel"]
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, jammy, amd64]
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
       - name: Get packages
         uses: actions/download-artifact@v4
         with:
           name: pypi-packages
           path: dist/
       - name: Publish to pypi
+        # Note: this action uses PyPI's support for Trusted Publishers
+        # It needs a configuration on the PyPI project - see:
+        # https://docs.pypi.org/trusted-publishers/adding-a-publisher/#github-actions
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
   github-release:
     needs: ["source-wheel"]
     runs-on: ubuntu-latest
