From 8f73662be8b1dbcae5c26bd6a90c817381f6cc24 Mon Sep 17 00:00:00 2001 From: Marques Johansson Date: Thu, 12 Dec 2024 07:53:48 -0600 Subject: [PATCH] chore: publish with attestation Based on attestation warnings in the release pipeline, this PR removes the username and password combo, as advised in the GHA warnings and here: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing I've added the Trusted Publisher Management publisher profile for GitHub to the Pypi project. I'm leaving the token in GHA Secrets, for now, so that we can revert this PR and take the alternate approach of disabling attestation if there are additional hurdles in the publishing phase. --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5037c663..f95cac26 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,8 @@ jobs: release: name: Build and publish package runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout @@ -51,6 +53,4 @@ jobs: - name: Publish package uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} packages-dir: ${{ env.DIST_DIR }}