Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Publish to PyPI with OIDC trusted publisher
This commit will update Python package publishing to the newest format recommended by PyPI. This project previously published packages with a project-scoped PyPI API token (token only valid for this project) stored in GitHub Secrets and the `hatch publish` command. The project will now publish packages using an OIDC (OpenID Connect) trusted publisher with the pypa/gh-action-pypi-publish action. This is the method that Hatch itself uses (Hatch does not "dogfood" its own `hatch publish` feature). The advantage to OIDC is that authentication is performed with temporary API tokens (only valid for 15 minutes) instead of persistent tokens that must be manually generated on PyPI and pasted into GitHub Secrets. The disadvantage is that authentication is more complicated. To use PyPI OIDC, a trusted publisher was set up for the PyPI project as shown in the [PyPI docs](https://docs.pypi.org/trusted-publishers/). Next, a dedicated GitHub Actions deployment environment was created for PyPI, with protection rules that only allow use of the environment with workflow runs triggered by Git tags. The environment protection rules combine with tag protection rules in existing GitHub rulesets to ensure PyPI packages can only be published when a maintainer pushes a Git tag. The GitHub Actions workflows will be updated to use the deployment environment. Deployment environments must be selected at the job level before the job begins, so a setup job will be added that selects the appropriate deployment environment and passes it to the PyPI job. Finally, after `hatch build` outputs the package build files to the `dist/` directory, pypa/gh-action-pypi-publish will be used to publish the package to PyPI. The pypa/gh-action-pypi-publish action only appears to support exact version tags like pypa/[email protected], which means the action version requires an update for every release. The Git commit ID (SHA) will be used instead of the exact version tag because it is more specific. Releases can be modified and republished, but commit IDs cannot, so a commit ID is more reliable. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions https://docs.pypi.org/trusted-publishers/ https://github.com/pypa/gh-action-pypi-publish
- Loading branch information