NO-ISSUE Use OIDC to publish library to pypi

Yang-33 · Yang-33 · commit 440f6575455b · 2025-03-03T22:16:01.000+09:00
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
@@ -13,10 +13,10 @@ on:
         required: true
 
 jobs:
-  deploy:
-
+  release-build:
     runs-on: ubuntu-latest
-
+    permissions:
+      issues: write
     steps:
     - uses: actions/checkout@v4
       with:
@@ -40,13 +40,15 @@ jobs:
         VERSION=${VERSION#v}
         echo "VERSION=$VERSION" >> $GITHUB_ENV
         python tools/update_version.py $VERSION
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_API_USER }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+    - name: Build
       run: |
         python setup.py sdist bdist_wheel
-        twine upload dist/*
+
+    - name: upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: release-dists
+        path: dist/
 
     - name: Create GitHub Issue on Failure
       if: failure()
@@ -66,3 +68,42 @@ jobs:
             body: issueBody,
             assignees
           });
+
+  pypi-publish:
+    runs-on: ubuntu-latest
+    needs:
+      - release-build
+    environment:
+      name: release
+    permissions:
+      id-token: write
+      issues: write
+
+    steps:
+      - name: Retrieve release distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+      - name: Publish release distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+
+      - name: Create GitHub Issue on Failure
+        if: failure()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const version = process.env.VERSION;
+            const issueTitle = `Release job for ${version} failed`;
+            const issueBody = `The release job failed. Please check the [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.`;
+            const assignees = [context.actor];
+            
+            await github.rest.issues.create({
+              owner,
+              repo,
+              title: issueTitle,
+              body: issueBody,
+              assignees
+            });
