diff --git a/.github/workflows/tagPublish.yml b/.github/workflows/tagPublish.yml index 0e5888d..c34ec67 100644 --- a/.github/workflows/tagPublish.yml +++ b/.github/workflows/tagPublish.yml @@ -68,27 +68,31 @@ jobs: - name: build source id: build_source run: python -u .github/workflows/build_source.py + - name: mint API token + id: mint-token + run: | + # retrieve the ambient OIDC token + resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi") + oidc_token=$(jq '.value' <<< "${resp}") + + # exchange the OIDC token for an API token + resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}") + api_token=$(jq '.token' <<< "${resp}") + + # mask the newly minted API token, so that we don't accidentally leak it + echo ${api_token} + echo "::add-mask::${api_token}" + + # see the next step in the workflow for an example of using this step output + echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}" - name: Publish to pypi env: # the username and the repository needs to be changed before release. TWINE_USERNAME: __token__ + TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }} TWINE_REPOSITORY: testpypi run: | - # retrieve the ambient OIDC token - resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi") - oidc_token=$(jq '.value' <<< "${resp}") - - # exchange the OIDC token for an API token - resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}") - api_token=$(jq '.token' <<< "${resp}") - - # mask the newly minted API token, so that we don't accidentally leak it - echo "::add-mask::${api_token}" - - # see the next step in the workflow for an example of using this step output - echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}" - TWINE_PASSWORD="${api_token}" pip install -U twine python -m twine upload --skip-existing target/wheels/* - name: Upload to Github releases