Convert build pipelines to use two jobs

sirosen · sirosen · commit 1abd70a75c9c · 2023-08-25T13:15:02.000-05:00
This avoids exposing the GitHub token (`id-token: write`) used for trusted publishing to the build process (`build` and the underlying backend), improving security via isolation. Also, add `twine check` to the build+publish pipeline, per the recommendations of various publishing guides, to catch malformed metadata. Big thanks to @webknjaz for spotting this improvement and for providing tools, docs, and guidance for publishing!
diff --git a/.github/workflows/publish_to_pypi.yaml b/.github/workflows/publish_to_pypi.yaml
@@ -5,20 +5,40 @@ on:
     types: [published]
 
 jobs:
-  publish:
+  build-dists:
     runs-on: ubuntu-latest
-    environment: publish
-    permissions:
-      id-token: write
 
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
           python-version: "3.11"
 
-      - run: python -m pip install build
-      - run: python -m build .
+      - run: python -m pip install build twine
+
+      - name: Build Dists
+        run: python -m build .
+
+      - name: Check Dists (twine)
+        run: twine check dist/*
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: packages
+          path: dist/*
+
+  publish:
+    needs: [build-dists]
+    runs-on: ubuntu-latest
+    environment: publish-testpypi
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: packages
+          path: dist
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/publish_to_test_pypi.yaml b/.github/workflows/publish_to_test_pypi.yaml
@@ -12,19 +12,16 @@ on:
     tags: ["*"]
 
 jobs:
-  publish:
+  build-dists:
     runs-on: ubuntu-latest
-    environment: publish-testpypi
-    permissions:
-      id-token: write
 
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
           python-version: "3.11"
 
-      - run: python -m pip install build
+      - run: python -m pip install build twine
 
       - name: Set dev version prior to upload (auto)
         if: ${{ github.event.inputs.devNumber == '' }}
@@ -34,9 +31,32 @@ jobs:
         if: ${{ github.event.inputs.devNumber != '' }}
         run: python ./scripts/set-dev-version.py -n ${{ github.event.inputs.devNumber }}
 
-      - run: python -m build .
+      - name: Build Dists
+        run: python -m build .
+
+      - name: Check Dists (twine)
+        run: twine check dist/*
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: packages
+          path: dist/*
+
+
+  publish:
+    needs: [build-dists]
+    runs-on: ubuntu-latest
+    environment: publish-testpypi
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: packages
+          path: dist
 
       - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          repository_url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/
