Merge pull request #9 from nejch/oidc-release

nejch · web-flow · commit d51b514929da · 2023-04-30T00:38:24.000+02:00
feat(ci): switch to OIDC publishing
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,15 +7,23 @@ on:
 
 jobs:
   release:
-    if: github.repository == 'python-gitlab/python-gitlab'
+    if: github.repository == 'nejch/python-gitlab' # testing via test.pypi.org first
     runs-on: ubuntu-latest
+    environment: test.pypi.org # testing via test.pypi.org first
     steps:
     - uses: actions/checkout@v3.5.0
       with:
         fetch-depth: 0
         token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+    - name: mint API token
+      id: mint-token
+      run: |
+        oidc_token=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi" | jq '.value')
+        api_token=$(curl -X POST https://test.pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}" | jq '.token')
+        echo "::add-mask::${api_token}"
+        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
     - name: Python Semantic Release
       uses: relekang/python-semantic-release@v7.33.2
       with:
         github_token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-        pypi_token: ${{ secrets.PYPI_TOKEN }}
+        pypi_token: ${{ steps.mint-token.outputs.api-token }}
diff --git a/pyproject.toml b/pyproject.toml
@@ -30,6 +30,7 @@ branch = "main"
 version_variable = "gitlab/_version.py:__version__"
 commit_subject = "chore: release v{version}"
 commit_message = ""
+repository = "testpypi" # testing via test.pypi.org first
 
 [tool.pylint.messages_control]
 max-line-length = 88
