Setup Trusted Publisher deployment to PyPI

Use this instead of the API tokens we used before. It's safer and easier to use because it doesn't required generating tokens and pasting them to GitHub.
fatiando · Mar 13, 2024 · b2097db · b2097db
1 parent 13d0f2b
commit b2097db
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -88,6 +88,10 @@ jobs:
     needs: build
     # Only publish from the origin repository, not forks
     if: github.repository_owner == 'fatiando' && github.event_name != 'pull_request'
+    environment: pypi
+    permissions:
+      # This permission allows trusted publishing to PyPI (without an API token)
+      id-token: write
 
     steps:
       - name: Checkout
@@ -109,8 +113,6 @@ jobs:
         if: github.event_name == 'push'
         uses: pypa/[email protected]
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_TOKEN}}
           repository_url: https://test.pypi.org/legacy/
           # Allow existing releases on test PyPI without errors.
           # NOT TO BE USED in PyPI!
@@ -120,6 +122,3 @@ jobs:
         # Only publish to PyPI when a release triggers the build
         if: github.event_name == 'release'
         uses: pypa/[email protected]
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_TOKEN}}