Merge pull request #129 from tahoe-lafs/127.pypi-trusted-publishing

sajith · web-flow · commit 801b64fa4f70 · 2025-03-19T19:46:40.000-05:00
Use trusted publishing with both PyPI and TestPyPI
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,5 +1,11 @@
-# Build sdist+wheel packages using GitHub Actions.  Mostly adopted
-# from https://cibuildwheel.readthedocs.io/en/stable/setup/
+# Build sdist+wheel packages using GitHub Actions, and publish them on
+# TestPyPI (on pull requests and tags) and PyPI (on tags).
+#
+# The build_wheels job is mostly adopted from
+# https://cibuildwheel.readthedocs.io/en/stable/setup/
+#
+# The upload_pypi and upload_testpypi jobs are adopted from Python
+# Packaging User Guide.
 
 name: "Packages"
 
@@ -108,19 +114,47 @@ jobs:
           name: sdist
           path: dist/*.tar.gz
 
+# Both `upload_pypi` and `upload_testpypi` jobs are based on
+# "Publishing package distribution releases using GitHub Actions CI/CD
+# workflows" page of Python Package User Guide.  Specifically see the
+# section under "The whole CI/CD workflow".
+#
+# https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#the-whole-ci-cd-workflow
+#
+# The important bit here is that we use GitHub Actions as the "trusted
+# publisher" to publish packages on both PyPI and TestPyPI.  We do not
+# use long-lived tokens anymore.  Instead, both PyPI and TestPyPI are
+# configured to trust this GH Actions workflow, and the workflow will
+# use a short-lived tokens minted by them.
+#
+# https://docs.pypi.org/trusted-publishers/
+#
+# There is a bit of duplication below but that seems to be necessary
+# because the environment configuration is different for PyPI and
+# TestPyPI.  Perhaps the duplication is not necessary, but let us just
+# stick with the Python Package User Guide's recommendation.
+
   upload_pypi:
+    name: Publish zfec on PyPI
+
+    # Publish to PyPI on release tag pushes.
+    if: >-
+      github.event_name == 'push' &&
+      startsWith(github.event.ref, 'refs/tags/zfec-')
+
     needs:
       - "build_wheels"
       - "build_sdist"
 
-    # It only needs to run once.  It will fetch all of the other build
-    # artifacts created by the other jobs and then upload them.
     runs-on: "ubuntu-latest"
 
-    # Select the GitHub Actions environment that contains the PyPI tokens
-    # necessary to perform uploads.  This was configured manually using the
-    # GitHub web interface.
-    environment: "release"
+    environment:
+      name: "release"
+      url: "https://pypi.org/project/zfec/"
+
+    # This permission is mandatory for trusted publishing
+    permissions:
+      id-token: write
 
     steps:
       # Download all artifacts previously built by this workflow to the dist
@@ -132,43 +166,44 @@ jobs:
           path: "dist"
           merge-multiple: true
 
-      # Define a conditional step to upload packages to the testing instance
-      # of PyPI.
-      #
-      # The overall workflow is already restricted so that it runs for:
-      # 1) pushes to master
-      # 2) pushes to release tags
-      # 3) pushes to branches with associated PRs
-      #
-      # The conditional in this step should cause it to run only for case (3).
-      - name: "Publish to TEST PyPI"
-        uses: "pypa/gh-action-pypi-publish@v1.6.4"
-        if: >-
-          github.event_name == 'pull_request'
+      - name: "Publish to PyPI"
+        uses: "pypa/gh-action-pypi-publish@v1.12.4"
+        with:
+          # Run `twine upload --verbose`.
+          verbose: true
+
+  upload_testpypi:
+    # Publish both builds triggered by pull requests and builds
+    # triggered by release tags to TestPyPI.
+    name: Publish zfec on TestPyPI
+
+    needs:
+      - "build_wheels"
+      - "build_sdist"
 
+    runs-on: "ubuntu-latest"
+
+    environment:
+      name: "testpypi"
+      url: "https://test.pypi.org/project/zfec/"
+
+    # This permission is mandatory for trusted publishing
+    permissions:
+      id-token: write
+
+    steps:
+      # Do the same thing as the download-artfact step in
+      # upload_testpypi job.
+      - uses: "actions/download-artifact@v4"
         with:
-          # Authenticate using a token from a PyPI account with upload
-          # permission to the project.  See https://pypi.org/help/#apitoken
-          user: "__token__"
-          # Read it from a GitHub Actions "environment" secret.  See
-          # https://docs.github.com/en/actions/security-guides/encrypted-secrets
-          password: "${{ secrets.testpypi_token }}"
-          # Override the default in order to upload it to the testing
-          # deployment.
-          repository_url: "https://test.pypi.org/legacy/"
-
-      # Now define a conditional step to upload packages to the production
-      # instance of PyPI.
-      #
-      # The cases to consider are the same as for the upload to the testing
-      # instance.  This time, we have a conditional that runs only for case
-      # (2).
-      - name: "Publish to LIVE PyPI"
-        uses: "pypa/gh-action-pypi-publish@v1.6.4"
-        if: >-
-          github.event_name == 'push' &&
-          startsWith(github.event.ref, 'refs/tags/zfec-')
+          pattern: "*"
+          path: "dist"
+          merge-multiple: true
 
+      - name: "Publish to TestPyPI"
+        uses: "pypa/gh-action-pypi-publish@v1.12.4"
         with:
-          user: "__token__"
-          password: "${{ secrets.pypi_token }}"
+          # Override the default in order to upload to TestPyPi.
+          repository-url: https://test.pypi.org/legacy/
+          # Run `twine upload --verbose`.
+          verbose: true
