chore(ci): use OIDC trusted publishing for pypi.org

nejch · nejch · commit 7ccee680508c · 2023-05-01T10:32:39.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,13 +9,27 @@ jobs:
   release:
     if: github.repository == 'python-gitlab/python-gitlab'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment: pypi.org
     steps:
     - uses: actions/checkout@v3.5.0
       with:
         fetch-depth: 0
         token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+    - name: mint API token
+      id: mint-token
+      run: |
+        resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+        oidc_token=$(jq '.value' <<< "${resp}")
+
+        resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\":${oidc_token}}")
+        api_token=$(jq '.token' <<< "${resp}" | tr -d '"')
+
+        echo "::add-mask::${api_token}"
+        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
     - name: Python Semantic Release
       uses: relekang/python-semantic-release@v7.33.2
       with:
         github_token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-        pypi_token: ${{ secrets.PYPI_TOKEN }}
+        pypi_token: ${{ steps.mint-token.outputs.api-token }}
