From c35007f12fcfdc4554c080bb57345c136656d982 Mon Sep 17 00:00:00 2001 From: Ahmed Mohamed Date: Wed, 12 Mar 2025 05:24:57 -0500 Subject: [PATCH 1/3] Upgrade PyPI upload workflow to use Trusted Publishing --- .github/workflows/pypi_upload.yml | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml index ea13767eeeb..616514f61d2 100644 --- a/.github/workflows/pypi_upload.yml +++ b/.github/workflows/pypi_upload.yml @@ -10,12 +10,16 @@ on: permissions: contents: read + id-token: write # Required for PyPI trusted publishing jobs: main: name: sdist + pure wheel runs-on: ubuntu-latest if: github.event_name == 'release' + environment: + name: release + url: https://pypi.org/p/black steps: - uses: actions/checkout@v4 @@ -26,19 +30,19 @@ jobs: python-version: "3.13" allow-prereleases: true - - name: Install latest pip, build, twine + - name: Install latest pip, build run: | python -m pip install --upgrade --disable-pip-version-check pip - python -m pip install --upgrade build twine + python -m pip install --upgrade build - name: Build wheel and source distributions run: python -m build - if: github.event_name == 'release' - name: Upload to PyPI via Twine - env: - TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }} - run: twine upload --verbose -u '__token__' dist/* + name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true generate_wheels_matrix: name: generate wheels matrix @@ -84,6 +88,10 @@ jobs: name: mypyc wheels ${{ matrix.only }} needs: generate_wheels_matrix runs-on: ${{ matrix.os }} + if: github.event_name == 'release' + environment: + name: release + url: https://pypi.org/p/black strategy: fail-fast: false matrix: @@ -103,10 +111,11 @@ jobs: path: ./wheelhouse/*.whl - if: github.event_name == 'release' - name: Upload wheels to PyPI via Twine - env: - TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }} - run: pipx run twine upload --verbose -u '__token__' wheelhouse/*.whl + name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: wheelhouse/ + verbose: true update-stable-branch: name: Update stable branch From 1234419913fa7e760feb8b720d5aeadfaedff291 Mon Sep 17 00:00:00 2001 From: Ahmed Mohamed Date: Wed, 12 Mar 2025 09:59:00 -0500 Subject: [PATCH 2/3] Add changelog entry for PyPI Trusted Publishing upgrade --- .github/workflows/pypi_upload.yml | 2 +- CHANGES.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml index 616514f61d2..e3af471122f 100644 --- a/.github/workflows/pypi_upload.yml +++ b/.github/workflows/pypi_upload.yml @@ -10,7 +10,7 @@ on: permissions: contents: read - id-token: write # Required for PyPI trusted publishing + id-token: write # Required for PyPI trusted publishing jobs: main: diff --git a/CHANGES.md b/CHANGES.md index 8d8808c2573..a4330b9a834 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -49,6 +49,7 @@ - Fix the version check in the vim file to reject Python 3.8 (#4567) +- Upgraded PyPI upload workflow to use Trusted Publishing (#4589) ### Documentation From 6cbb1d36d0bfdf2652f2f68fe3525b0da32feb1c Mon Sep 17 00:00:00 2001 From: Ahmed Mohamed Date: Wed, 12 Mar 2025 10:45:15 -0500 Subject: [PATCH 3/3] Added PR number for changelog CI --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index a4330b9a834..0ba64f96887 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -49,7 +49,7 @@ - Fix the version check in the vim file to reject Python 3.8 (#4567) -- Upgraded PyPI upload workflow to use Trusted Publishing (#4589) +- Upgraded PyPI upload workflow to use Trusted Publishing (#4611) ### Documentation