Use trusted publisher (#7178)

scikit-image · Sep 30, 2023 · 7ce1c26 · 7ce1c26
1 parent 0cc3d90
commit 7ce1c26
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/.github/workflows/wheel_tests_and_release.yml b/.github/workflows/wheel_tests_and_release.yml
@@ -20,20 +20,22 @@ jobs:
     uses: ./.github/workflows/wheels_recipe.yml
 
   deploy:
-    permissions:
-      contents: write # for softprops/action-gh-release to create GitHub release
     name: Release
     needs: call-workflow-build-wheels
     if: github.repository_owner == 'scikit-image' && startsWith(github.ref, 'refs/tags/v') && always()
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write # for softprops/action-gh-release to create GitHub release
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - uses: actions/setup-python@v4
         name: Install Python
         with:
-          python-version: "3.9"
+          python-version: "3.11"
 
       - name: Install Twine
         run: |
@@ -45,19 +47,17 @@ jobs:
           name: wheels
           path: ./dist
 
-      - name: Publish the source distribution on PyPI
+      - name: Build the source distribution
         run: |
           SK_VERSION=$(git describe --tags)
           source tools/github/before_install.sh
           python -m build --no-isolation --skip-dependency-check --sdist .
           ls -la ${{ github.workspace }}/dist
-          # We prefer to release wheels before source because otherwise there is a
-          # small window during which users who pip install scikit-image will require compilation.
-          twine upload ${{ github.workspace }}/dist/*.whl
-          twine upload ${{ github.workspace }}/dist/scikit_image-${SK_VERSION:1}.tar.gz
-        env:
-          TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
+
+      # We prefer to release wheels before source because otherwise there is a
+      # small window during which users who pip install scikit-image will require compilation.
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
       - name: Github release
         uses: softprops/action-gh-release@v1