Use trusted publisher for PyPI uploads (#2330)

saitcakmak · facebook-github-bot · commit dd6ef713b832 · 2024-05-02T11:54:57.000-07:00
Summary: [Upgrade to Trusted Publishing](https://github.com/pytorch/botorch/actions/runs/8914483363/job/24484640242#step:9:20) Trusted Publishers allows publishing packages to PyPI from automated environments like GitHub Actions without needing to use username/password combinations or API tokens to authenticate with PyPI. Read more: https://docs.pypi.org/trusted-publishers I set-up the trusted publishers for deploy & nightly workflows on pypi & test-pypi. These will generate temporary tokens for upload originating from these workflows and avoid the need for tokens. Pull Request resolved: #2330 Test Plan: https://github.com/pytorch/botorch/actions/runs/8916612542/job/24488330050 Reviewed By: Balandat Differential Revision: D56861480 Pulled By: saitcakmak fbshipit-source-id: 6a2a5403bae6fcc76a5ac2ae947d73473b8d47e6
diff --git a/.github/workflows/deploy_on_release.yml b/.github/workflows/deploy_on_release.yml
@@ -18,6 +18,8 @@ jobs:
   package-deploy-pypi:
     name: Package and deploy to pypi.org
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for PyPI OIDC authentication.
     needs: tests-and-coverage-pip
     steps:
     - uses: actions/checkout@v4
@@ -40,8 +42,6 @@ jobs:
     - name: Deploy to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
         verbose: true
 
   package-deploy-conda:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -18,6 +18,8 @@ jobs:
   package-test-deploy-pypi:
     name: Package and test deployment to test.pypi.org
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for PyPI OIDC authentication.
     steps:
     - uses: actions/checkout@v4
     - name: Fetch all history for all tags and branches
@@ -54,10 +56,8 @@ jobs:
     - name: Deploy to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
         verbose: true
 
   package-conda:
