use trusted publishers to upload releases (#146)

* add the `zizmor` hook

* rewrite the publish workflow to use trusted publishers

* fix the pypi project path

* follow recommendations by `zizmor`

* follow recommendations in the nightly tests

Author: keewis

.github/workflows/ci.yaml

@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   linux:
     name: "sphinx v${{matrix.sphinx-version}} py${{matrix.python-version}}"
@@ -33,6 +35,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: setup python
         uses: actions/setup-python@v5

.github/workflows/nightly.yaml

@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   detect-ci-trigger:
     name: detect upstream-dev ci trigger
@@ -21,6 +23,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 2
+          persist-credentials: false
       - uses: xarray-contrib/[email protected]
         id: detect-trigger
         with:
@@ -52,6 +55,7 @@ jobs:
         with:
           # need to fetch all tags to get a correct version
           fetch-depth: 0 # fetch all branches and tags
+          persist-credentials: false
 
       - name: setup python
         uses: actions/setup-python@v5
@@ -96,9 +100,15 @@ jobs:
       && github.event_name == 'schedule'
       && github.repository == 'xarray-contrib/sphinx-autosummary-accessors'
       && needs.upstream-dev.outputs.artifacts_availability == 'true'
+
+    permissions:
+      issues: write
+
     steps:
       - name: checkout the repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: setup python
         uses: actions/setup-python@v5
         with:

.github/workflows/publish.yaml

@@ -1,32 +1,31 @@
-name: Upload package to PyPI
+name: Upload Python Package on PyPI
 
 on:
   release:
-    types: [created]
+    types: [published]
 
 jobs:
-  publish:
-    name: Publish to PyPI
+  deploy:
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/sphinx-autosummary-accessors
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.x"
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip build twine
-      - name: Build
-        run: |
-          python -m build --sdist --wheel --outdir dist/ .
-      - name: Check the built archives
-        run: |
-          twine check dist/*
-      - name: Publish to PyPI
+      - name: Install publish dependencies
+        run: python -m pip install build
+      - name: Build package
+        run: python -m build . -o dist
+      - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
         with:
-          user: __token__
-          password: ${{ secrets.pypi_token }}
-          repository_url: https://upload.pypi.org/legacy/
-          verify_metadata: true
+          packages-dir: dist

.pre-commit-config.yaml

@@ -31,3 +31,7 @@ repos:
     rev: 25.1.0
     hooks:
       - id: black
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.4.1
+    hooks:
+      - id: zizmor