fix: use PyPI trusted publisher authentication (#33)

Updates the GitHub Actions publish workflow to use PyPI's Trusted Publisher authentication instead of token-based authentication. This change improves security by: - Removing the need to store PyPI tokens in GitHub secrets - Using OpenID Connect (OIDC) for secure authentication - Leveraging PyPI's recommended authentication method for GitHub Actions ## Changes - Removed token-based authentication (TWINE_USERNAME and TWINE_PASSWORD) - Added required `id-token: write` permission for OIDC - Switched from manual twine upload to `pypa/gh-action-pypi-publish` action
Bjarten · Nov 10, 2024 · 3a0d9b8 · 3a0d9b8
1 parent cba4e59
commit 3a0d9b8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 39 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,11 +3,17 @@ name: Publish Python Package
 on:
   push:
     tags:
-      - 'v*.*.*'  # Automatically publish when a new version tag is pushed
+      - 'v*.*.*'
 
 jobs:
   publish:
+    name: Upload release to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: release
+      url: https://pypi.org/p/early-stopping-pytorch
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
 
     steps:
       - name: Checkout code
@@ -18,26 +24,13 @@ jobs:
         with:
           python-version: '3.12'
 
-      - name: Cache pip
-        uses: actions/cache@v3
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/requirements-dev.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install build twine
+          pip install build
 
-      - name: Build the package
-        run: |
-          python -m build
+      - name: Build package
+        run: python -m build
 
-      - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: |
-          python -m twine upload --repository pypi dist/*
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/README.md b/README.md
@@ -36,25 +36,5 @@ You can now import and use the package in your Python code:
 ```python
 from early_stopping_pytorch import EarlyStopping
 ```
-
----
-
-### Summary of Commands
-
-1. Clone the repository:
-   `git clone https://github.com/your_username/early-stopping-pytorch.git`
-
-2. Set up the environment:
-   `./setup_dev_env.sh`
-
-3. Activate the environment:
-   `source dev-venv/bin/activate`
-
-4. Install the package in editable mode:
-   `pip install -e .`
-
-5. Optional: Build the package for distribution:
-   `./build.sh`
-
 ## References
 The ```EarlyStopping``` class in ```early_stopping_pytorch/early_stopping.py``` is inspired by the [ignite EarlyStopping class](https://github.com/pytorch/ignite/blob/master/ignite/handlers/early_stopping.py).