Switch publishing to use OIDC (#239)

NabuCasa · Mar 20, 2024 · 0e2b0f5 · 0e2b0f5
1 parent 59edc12
commit 0e2b0f5
Showing 1 changed file with 40 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,26 +2,58 @@ name: Upload Python Package
 
 on:
   release:
-    types: [published]
+    types:
+      - published
+
+permissions: {}
 
 jobs:
-  deploy:
+  build:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4.1.1
+
       - name: Set up Python
         uses: actions/setup-python@v5.0.0
         with:
           python-version: "3.x"
+
+      - name: Verify version
+        uses: home-assistant/actions/helpers/verify-version@master
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install setuptools build
-      - name: Build and publish
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+
+      - name: Build
         run: |
           python -m build
-          twine upload dist/*
+
+      - name: Upload dists
+        uses: actions/upload-artifact@v4.3.1
+        with:
+          name: "dist"
+          path: "dist/"
+          if-no-files-found: error
+          retention-days: 5
+
+  publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: "build"
+    environment:
+      name: release
+      url: https://pypi.org/p/snitun
+    permissions:
+      id-token: write
+    steps:
+    - name: Download dists
+      uses: actions/download-artifact@v4.1.4
+      with:
+        name: "dist"
+        path: "dist/"
+
+    - name: Publish dists to PyPI
+      # Pinned to a commit for security purposes
+      uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14