Use Trusted Publisher for publishing to PyPI (#12)

* Add necessary permissions for GitHub Actions to work with repos which have workflow permission: "Read repository contents and package permissions". * Document how to create a PyPI project with a trusted publisher in quickstart.md.
statisticsnorway · Aug 11, 2023 · 8331172 · 8331172
1 parent 39de933
commit 8331172
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 45 deletions.
diff --git a/cookiecutter.json b/cookiecutter.json
@@ -7,7 +7,7 @@
   "author": "Contact Person",
   "email": "[email protected]",
   "github_organization": "statisticsnorway",
-  "version": "0.1.0",
+  "version": "0.0.0",
   "license": ["MIT", "Apache-2.0", "GPL-3.0"],
   "development_status": [
     "Development Status :: 1 - Planning",

diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -96,18 +96,16 @@ $ nox -s pre-commit -- install
 ### PyPI
 
 1. Sign up at [PyPI].
-2. Go to the Account Settings on PyPI,
-   generate an API token, and copy it.
-3. Go to the repository settings on GitHub, and
-   add a secret named `PYPI_TOKEN` with the token you just copied.
+2. Go to the Account Settings on PyPI, select Publishing,
+   and set up a new pending publisher as described on
+   [Creating a PyPI Project with a Trusted Publisher] [Trusted Publisher].
 
 ### TestPyPI
 
 1. Sign up at [TestPyPI].
-2. Go to the Account Settings on TestPyPI,
-   generate an API token, and copy it.
-3. Go to the repository settings on GitHub, and
-   add a secret named `TEST_PYPI_TOKEN` with the token you just copied.
+2. Go to the Account Settings on TestPyPI, select Publishing,
+   and set up a new pending publisher as described on
+   [Creating a PyPI Project with a Trusted Publisher] [Trusted Publisher].
 
 ### Codecov
 
@@ -177,3 +175,4 @@ by applying labels to them, like this:
 [pypi]: https://pypi.org/
 [read the docs]: https://readthedocs.org/
 [testpypi]: https://test.pypi.org/
+[trusted publisher]: https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
diff --git a/{{cookiecutter.project_name}}/.github/workflows/labeler.yml b/{{cookiecutter.project_name}}/.github/workflows/labeler.yml
@@ -5,10 +5,15 @@ on:
     branches:
       - main
       - master
+    paths:
+      - ".github/labels.yml"
+      - ".github/workflows/labeler.yml"
 
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3

diff --git a/{{cookiecutter.project_name}}/.github/workflows/release.yml b/{{cookiecutter.project_name}}/.github/workflows/release.yml
@@ -10,6 +10,9 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
@@ -57,15 +60,12 @@ jobs:
 
       - name: Publish package on PyPI
         if: steps.check-version.outputs.tag
-        uses: pypa/[email protected]
-        with:
-          password: {{ "${{ secrets.PYPI_TOKEN }}" }}
+        uses: pypa/[email protected]
 
       - name: Publish package on TestPyPI
         if: "! steps.check-version.outputs.tag"
-        uses: pypa/[email protected].8
+        uses: pypa/[email protected].10
         with:
-          password: {{ "${{ secrets.TEST_PYPI_TOKEN }}" }}
           repository_url: https://test.pypi.org/legacy/
 
       - name: Publish the release notes

diff --git a/{{cookiecutter.project_name}}/poetry.lock b/{{cookiecutter.project_name}}/poetry.lock