python-deploy.yml

name: Python CI (publishing)

on:
  release:
    types: [published]

jobs:
  deploy-pkg:
    name: Deploy package
    runs-on: ubuntu-latest
    environment: release
      permissions:
        # IMPORTANT: this permission is mandatory for trusted publishing
        id-token: write

    steps:
      - name: Checkout the repo
        uses: actions/checkout@v3

      - name: Set up Python
        uses: actions/setup-python@v4.5.0
        with:
          python-version: '3.10'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install setuptools wheel twine

      - name: OIDC token
        run: |
          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
          
          oidc_token=$(jq '.value' <<< "${resp}")
          
          resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
          api_token=$(jq '.token' <<< "${resp}")

          # tell GitHub Actions to mask the token in any console logs,
          # to avoid leaking it
          echo "::add-mask::${api_token}"

      - name: Build and publish package
        run: |
          python setup.py sdist bdist_wheel
          TWINE_USERNAME=__token__ TWINE_PASSWORD="${api_token}" twine upload dist/*