Python: Replace publish action (#180)

mpkorstanje · web-flow · commit d7ba13d50a67 · 2024-11-24T20:53:32.000+01:00
Replaces `cucumber/action-publish-pypi` with
`pypa/gh-action-pypi-publish@release/v1`. The motivation for using
actions in the cucumber org is to ensure that we do not hand release
tokens to untrusted code. As the party publishing our python packages,
the Python Package Authority can be trusted. Additionally, their action
uses trusted publishers which authorizes GitHub with OIDC so no
long-lived tokens are used.
diff --git a/.github/workflows/release-pypi.yaml b/.github/workflows/release-pypi.yaml
@@ -23,6 +23,14 @@ jobs:
           python-version: "3.10"
       - name: Show Python version
         run: python --version
-      - uses: cucumber/action-publish-pypi@v3.0.0
+
+      - name: Build package
+        run: |
+          python -m pip install build twine
+          python -m build
+          twine check --strict dist/*
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          working-directory: "python"
+          packages-dir: python/dist
diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml
@@ -1,7 +1,4 @@
 name: test-python
-defaults:
-  run:
-    working-directory: python
 
 on:
   push:
@@ -21,19 +18,26 @@ jobs:
         os:
           - ubuntu-latest
         python-version: ["3.x","pypy-3.10"]
+    defaults:
+      run:
+        working-directory: python
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python-version }}
-        architecture: x64
-    - name: Show Python version
-      run: python --version
-    - name: Install Python package dependencies
-      run: |
-        python -m pip install -U pip setuptools wheel
-        pip install -U -r py.requirements/ci.github.testing.txt
-        pip install -e .
-    - name: Run tests
-      run: pytest
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          architecture: x64
+      - name: Show Python version
+        run: python --version
+      - name: Install Python package dependencies
+        run: |
+          python -m pip install pip setuptools wheel build twine
+          pip install -U -r py.requirements/ci.github.testing.txt
+          pip install -e .
+      - name: Run tests
+        run: pytest
+      - name: Build package
+        run: |
+          python -m build
+          twine check --strict dist/*
