Test commit.

Signed-off-by: Bhupender <[email protected]>
pravega · Nov 30, 2023 · 33d336d · 33d336d
1 parent 91a47ce
commit 33d336d
Showing 1 changed file with 19 additions and 15 deletions.
diff --git a/.github/workflows/tagPublish.yml b/.github/workflows/tagPublish.yml
@@ -68,27 +68,31 @@ jobs:
       - name: build source
         id: build_source
         run: python -u .github/workflows/build_source.py
+      - name: mint API token
+        id: mint-token
+        run: |
+            # retrieve the ambient OIDC token
+            resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+                "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
+            oidc_token=$(jq '.value' <<< "${resp}")
+            
+            # exchange the OIDC token for an API token
+            resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}")
+            api_token=$(jq '.token' <<< "${resp}")
+            
+            # mask the newly minted API token, so that we don't accidentally leak it
+            echo ${api_token}
+            echo "::add-mask::${api_token}"
+            
+            # see the next step in the workflow for an example of using this step output
+            echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
       - name: Publish to pypi
         env:
           # the username and the repository needs to be changed before release.
           TWINE_USERNAME: __token__
+          TWINE_PASSWORD:  ${{ steps.mint-token.outputs.api-token }}
           TWINE_REPOSITORY: testpypi
         run: |
-          # retrieve the ambient OIDC token
-          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-              "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
-          oidc_token=$(jq '.value' <<< "${resp}")
-          
-          # exchange the OIDC token for an API token
-          resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}")
-          api_token=$(jq '.token' <<< "${resp}")
-          
-          # mask the newly minted API token, so that we don't accidentally leak it
-          echo "::add-mask::${api_token}"
-          
-          # see the next step in the workflow for an example of using this step output
-          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
-          TWINE_PASSWORD="${api_token}"
           pip install -U twine
           python -m twine upload --skip-existing target/wheels/*
       - name: Upload to Github releases