From 18f0bb8ab1aebc885b0feb61fa5171ffa9d92713 Mon Sep 17 00:00:00 2001
From: Thomas Lento <tlento@users.noreply.github.com>
Date: Mon, 29 Jul 2024 18:01:57 -0700
Subject: [PATCH] Enable Trusted Publishing for PyPI actions (#1356)

In order to use Trusted Publishing we have to do some special things.

Most of these things have been abstracted away through the official
action plugin provided by the Python Packaging Authority.

This change simply conforms our actions configs with the requirements
for the plugin. Specifically, providing the `id-token: write` permission
and the target URL for publication in the relevant environment config.
---
 .../workflows/cd-push-dbt-metricflow-to-pypi.yaml | 15 ++++++++++++---
 .github/workflows/cd-push-metricflow-to-pypi.yaml | 13 ++++++++++---
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/cd-push-dbt-metricflow-to-pypi.yaml b/.github/workflows/cd-push-dbt-metricflow-to-pypi.yaml
index 05618a380c..2bf657db66 100644
--- a/.github/workflows/cd-push-dbt-metricflow-to-pypi.yaml
+++ b/.github/workflows/cd-push-dbt-metricflow-to-pypi.yaml
@@ -12,7 +12,11 @@ env:
 jobs:
   pypi-publish:
     runs-on: ubuntu-latest
-    environment: Pypi Publish
+    environment:
+      name: Pypi Publish
+      url: https://pypi.org/p/dbt-metricflow
+    permissions:
+      id-token: write
     steps:
       - name: Check-out the repo
         uses: actions/checkout@v3
@@ -22,6 +26,11 @@ jobs:
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
 
-      - name: Hatch Publish `dbt-metricflow`
+      - name: Build `dbt-metricflow` package
         working-directory: ./dbt-metricflow
-        run: hatch build && hatch publish
+        run: hatch build
+
+      - name: Publish `dbt-metricflow` package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: ./dbt-metricflow/dist/
diff --git a/.github/workflows/cd-push-metricflow-to-pypi.yaml b/.github/workflows/cd-push-metricflow-to-pypi.yaml
index 85cfde6995..076d78593d 100644
--- a/.github/workflows/cd-push-metricflow-to-pypi.yaml
+++ b/.github/workflows/cd-push-metricflow-to-pypi.yaml
@@ -13,7 +13,11 @@ env:
 jobs:
   pypi-publish:
     runs-on: ubuntu-latest
-    environment: Pypi Publish
+    environment:
+      name: Pypi Publish
+      url: https://pypi.org/p/metricflow
+    permissions:
+      id-token: write
     steps:
       - name: Check-out the repo
         uses: actions/checkout@v3
@@ -23,5 +27,8 @@ jobs:
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
 
-      - name: Hatch Publish `metricflow`
-        run: hatch build && hatch publish
+      - name: Build `metricflow` package
+        run: hatch build
+
+      - name: Publish `metricflow` package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1