Reverts publishing via trusted channel. See #528.

Reverts: 3571c06 1583a6f
kdeldycke · May 4, 2023 · 10ab967 · 10ab967
1 parent 1583a6f
commit 10ab967
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -161,7 +161,7 @@ jobs:
         # XXX actionlint triggers this error:
         #   Error: .github/workflows/release.yaml:198:27:
         #   property "workflow_update_github_pat" is not defined in object type {actions_runner_debug: string;
-        #   actions_step_debug: string; github_token: string} [expression]
+        #   actions_step_debug: string; github_token: string; pypi_token: string} [expression]
         # See: https://github.com/rhysd/actionlint/issues/148
         run: >
           ${{ steps.install_actionlint.outputs.executable }}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,6 +3,9 @@ name: Build & release
 # Read https://github.com/actions/runner/issues/491 for insights on complex workflow execution logic.
 "on":
   workflow_call:
+    secrets:
+      PYPI_TOKEN:
+        required: false
     outputs:
       tagged_version:
         description: Tagged/released version (without leading 'v')
@@ -194,7 +197,7 @@ jobs:
         with:
           # XXX actionlint triggers this error:
           #   property "workflow_update_github_pat" is not defined in object type {actions_runner_debug: string;
-          #   actions_step_debug: string; github_token: string} [expression]
+          #   actions_step_debug: string; github_token: string; pypi_token: string} [expression]
           # See: https://github.com/rhysd/actionlint/issues/148
           repo-token: ${{ secrets.WORKFLOW_UPDATE_GITHUB_PAT || secrets.GITHUB_TOKEN }}
           tag: v${{ steps.get_version.outputs.tagged_version }}
@@ -210,11 +213,6 @@ jobs:
     strategy:
       matrix: ${{ fromJSON(needs.project-metadata.outputs.release_commits_matrix) }}
     runs-on: ubuntu-22.04
-    environment:
-      name: pypi
-      url: https://pypi.org/p/${{ needs.project-metadata.outputs.package_name }}
-    permissions:
-      id-token: write
     steps:
       - name: Download build artifacts
         uses: actions/[email protected]
@@ -224,6 +222,8 @@ jobs:
       - name: Push package to public PyPi repository
         uses: pypa/[email protected]
         with:
+          user: __token__
+          password: ${{ secrets.PYPI_TOKEN }}
           packages-dir: ${{ steps.download.outputs.download-path }}
 
   github-release:

diff --git a/changelog.md b/changelog.md
@@ -6,7 +6,7 @@
 This version is not released yet and is under active development.
 ```
 
-- Remove support for `PYPI_TOKEN` secret in release workflow.
+- Reverts publishing via trusted channel: it doesn't work with reuseable workflows. See #528.
 
 ## [2.14.0 (2023-05-04)](https://github.com/kdeldycke/workflows/compare/v2.13.5...v2.14.0)