ci: release with trusted publisher and attestations (#5196)

* ci: release with trusted publisher and attestations Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com> * Update pip.yml --------- Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>
2024-06-25 21:12:58 -04:00 · 2024-06-25 21:12:58 -04:00 · b5ec7c7174
parent 26281c7986
commit b5ec7c7174
1 changed files with 11 additions and 7 deletions
--- a/.github/workflows/pip.yml
+++ b/.github/workflows/pip.yml
@ -58,7 +58,7 @@ jobs:

    - name: Prepare env
      run: |
-        python -m pip install -r tests/requirements.txt build twine
+        python -m pip install -r tests/requirements.txt build twine!=5.1.0

    - name: Python Packaging tests
      run: pytest tests/extra_python_package/
@ -91,23 +91,27 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event_name == 'release' && github.event.action == 'published'
    needs: [packaging]
+    environment: pypi
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read

    steps:
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.x"
-
    # Downloads all to directories matching the artifact names
    - uses: actions/download-artifact@v4

+    - name: Generate artifact attestation for sdist and wheel
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "*/pybind11*"
+
    - name: Publish standard package
      uses: pypa/gh-action-pypi-publish@release/v1
      with:
-        password: ${{ secrets.pypi_password }}
        packages-dir: standard/

    - name: Publish global package
      uses: pypa/gh-action-pypi-publish@release/v1
      with:
-        password: ${{ secrets.pypi_password_global }}
        packages-dir: global/