Use PyPI trusted publishing

dolfinus · Jul 30, 2023 · 53b44a6 · 53b44a6
1 parent b8d6b56
commit 53b44a6
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 82 deletions.
diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml
@@ -7,65 +7,45 @@ on:
     - pre-commit-ci-update-config
   workflow_dispatch:
 
-jobs:
-  wait-tests:
-    name: Wait for tests
-    runs-on: ubuntu-latest
+env:
+  DEFAULT_PYTHON: '3.11'
 
-    steps:
-    - uses: fountainhead/[email protected]
-      id: wait-for-tests
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        checkName: Tests done
-        ref: ${{ github.sha }}
-        timeoutSeconds: 3600
-
-    - name: Fail the Build
-      uses: cutenode/action-always-fail@v1
-      if: steps.wait-for-tests.outputs.conclusion != 'success'
-
-  wait-codeql:
-    name: Wait for CodeQL
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: fountainhead/[email protected]
-      id: wait-for-codeql
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        checkName: Analyze
-        ref: ${{ github.sha }}
-        timeoutSeconds: 3600
-
-    - name: Fail the Build
-      uses: cutenode/action-always-fail@v1
-      if: steps.wait-for-codeql.outputs.conclusion != 'success'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
 
+jobs:
   release:
     name: Release package
     runs-on: ubuntu-latest
-    needs: [wait-tests, wait-codeql]
+    if: github.repository == 'dolfinus/setuptools-git-versioning'  # prevent running on forks
+
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/onetl
+    permissions:
+      id-token: write # to auth in Test PyPI
 
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
-    - name: Set up Python 3.11
+    - name: Set up Python ${{ env.DEFAULT_PYTHON }}
+      id: python
       uses: actions/setup-python@v4
       with:
-        python-version: '3.11'
+        python-version: ${{ env.DEFAULT_PYTHON }}
 
     - name: Cache pip
       uses: actions/cache@v3
       with:
         path: ~/.cache/pip
-        key: ${{ runner.os }}-python-3.11-release-${{ hashFiles('requirements*.txt') }}
+        key: ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-${{ hashFiles('requirements*.txt') }}
         restore-keys: |
-          ${{ runner.os }}-python-3.11-release-${{ hashFiles('requirements*.txt') }}
-          ${{ runner.os }}-python-3.11-release-
+          ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-${{ hashFiles('requirements*.txt') }}
+          ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-
           ${{ runner.os }}-python
           ${{ runner.os }}-
 
@@ -88,5 +68,4 @@ jobs:
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
         repository_url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,65 +5,41 @@ on:
     tags:
     - v*
 
-jobs:
-  wait-tests:
-    name: Wait for tests
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: fountainhead/[email protected]
-      id: wait-for-tests
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        checkName: Tests done
-        ref: ${{ github.sha }}
-        timeoutSeconds: 3600
-
-    - name: Fail the Build
-      uses: cutenode/action-always-fail@v1
-      if: steps.wait-for-tests.outputs.conclusion != 'success'
-
-  wait-codeql:
-    name: Wait for CodeQL
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: fountainhead/[email protected]
-      id: wait-for-codeql
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        checkName: Analyze
-        ref: ${{ github.sha }}
-        timeoutSeconds: 3600
-
-    - name: Fail the Build
-      uses: cutenode/action-always-fail@v1
-      if: steps.wait-for-codeql.outputs.conclusion != 'success'
+env:
+  DEFAULT_PYTHON: '3.11'
 
+jobs:
   release:
     name: Release package
     runs-on: ubuntu-latest
-    needs: [wait-tests, wait-codeql]
+    if: github.repository == 'dolfinus/setuptools-git-versioning'  # prevent running on forks
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/onetl
+    permissions:
+      id-token: write # to auth in PyPI
+      contents: write # to create Github release
 
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
-    - name: Set up Python 3.11
+    - name: Set up Python ${{ env.DEFAULT_PYTHON }}
       uses: actions/setup-python@v4
       with:
-        python-version: '3.11'
+        python-version: ${{ env.DEFAULT_PYTHON }}
 
     - name: Cache pip
       uses: actions/cache@v3
       with:
         path: ~/.cache/pip
-        key: ${{ runner.os }}-python-3.11-release-${{ hashFiles('requirements*.txt') }}
+        key: ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-${{ hashFiles('requirements*.txt') }}
         restore-keys: |
-          ${{ runner.os }}-python-3.11-release-${{ hashFiles('requirements*.txt') }}
-          ${{ runner.os }}-python-3.11-release-
+          ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-${{ hashFiles('requirements*.txt') }}
+          ${{ runner.os }}-python-${{ env.DEFAULT_PYTHON }}-release-
           ${{ runner.os }}-python
           ${{ runner.os }}-
 
@@ -96,8 +72,6 @@ jobs:
 
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
 
     - name: Create Github release
       id: create_release