Skip to content

Commit 9fdd8fe

Browse files
authored
Use trusted publishing to simplify deployment (#73)
# References and relevant issues One of the most difficult things for me when starting was adding an API key to publish to PyPI. Even today, it's one of the most tedious parts of publishing a package. This PR instead uses the newer OIDC trusted publishing through PyPI which requires no API Key. Instead, you add a new pending publisher via your PyPI account. This is more secure _and_ simpler than before! I have tested this today with a new plugin to ensure it works correctly. :)
1 parent a8f277d commit 9fdd8fe

File tree

2 files changed

+11
-18
lines changed

2 files changed

+11
-18
lines changed

README.md

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -359,20 +359,15 @@ to install the codecov github app and give it access to your napari plugin repos
359359
### Set up automatic deployments
360360

361361
Your new package is also nearly ready to automatically deploy to [PyPI]
362-
(whenever you create a tagged release), so that your users can simply `pip install` your package. You just need to create an [API token to authenticate
363-
with PyPi](https://pypi.org/help/#apitoken), and then add it to your github
364-
repository:
362+
(whenever you create a tagged release), so that your users can simply `pip install` your package.
363+
We now use the newer [trusted OIDC publishing](https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/) method for PyPI; no API token is needed.
365364

366365
1. If you don't already have one, [create an
367366
account](https://pypi.org/account/register/) at [PyPI]
368-
2. Verify your email address with PyPI, (if you haven't already)
369-
3. Generate an [API token](https://pypi.org/help/#apitoken) at PyPi: In your
370-
[account settings](https://pypi.org/manage/account/) go to the API tokens
371-
section and select "Add API token". Make sure to copy it somewhere safe!
372-
4. [Create a new encrypted
373-
secret](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets)"
374-
in your github repository with the name "TWINE_API_KEY", and paste in your
375-
API token.
367+
2. Verify your email address with PyPI, (if you haven't already) and add
368+
2FA authentication to your account.
369+
3. Add a new pending publisher. Go to Account Settings > Publishing.
370+
Scroll down to add a new pending publisher and enter in the requested details.
376371

377372
You are now setup for automatic deployment!
378373

template/.github/workflows/test_and_deploy.yml

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -70,21 +70,19 @@ jobs:
7070
needs: [test]
7171
runs-on: ubuntu-latest
7272
if: contains(github.ref, 'tags')
73+
permissions:
74+
id-token: write
7375
steps:
7476
- uses: actions/checkout@v4
7577
- name: Set up Python
7678
uses: actions/setup-python@v5
7779
with:
7880
python-version: "3.x"
79-
- name: Install dependencies
81+
- name: Build package
8082
run: |
8183
python -m pip install --upgrade pip
8284
pip install -U setuptools setuptools_scm wheel twine build
83-
- name: Build and publish
84-
env:
85-
TWINE_USERNAME: __token__
86-
TWINE_PASSWORD: ${{ secrets.TWINE_API_KEY }}
87-
run: |
8885
git tag
8986
python -m build .
90-
twine upload dist/*
87+
- name: Publish to PyPI
88+
uses: pypa/gh-action-pypi-publish@release/v1

0 commit comments

Comments
 (0)