Merge pull request #229 from offbyone/add-trusted-publisher

Experiment: add trusted publisher
hamcrest · Apr 24, 2023 · a8c760e · a8c760e
2 parents 63212eb + 4e16952
commit a8c760e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,15 @@ on:
       - main
   workflow_dispatch:
 
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+  # Needed for trusted publishing.
+  id-token: write
+
 jobs:
   pure-python-wheel-and-sdist:
     name: Build a pure Python wheel and source distribution
@@ -21,20 +30,32 @@ jobs:
           # Fetch all tags; this is needed for hatch-vcs
           fetch-depth: 0
 
-      - name: Install build dependencies
-        run: python -m pip install --upgrade build
+      - uses: hynek/build-and-inspect-python-package@v1
+
+  # Upload to Test PyPI on every commit on main.
+  publish-test-release:
+    name: Publish in-dev package to test.pypi.org
+    environment: publish-test-release
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs:
+      - pure-python-wheel-and-sdist
 
-      - name: Build
-        run: python -m build
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v3
+        with:
+          name: Packages
+          path: dist
 
-      - uses: actions/upload-artifact@v3
+      - name: Upload package to Test PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          name: artifacts
-          path: dist/*
-          if-no-files-found: error
+          repository-url: https://test.pypi.org/legacy/
 
-  publish:
+  publish-release:
     name: Publish release
+    environment: publish-release
     needs:
       - pure-python-wheel-and-sdist
     runs-on: ubuntu-latest
@@ -43,13 +64,13 @@ jobs:
       (github.event_name == 'workflow_dispatch' && startsWith(github.event.ref, 'refs/tags'))
 
     steps:
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v3
         with:
           name: artifacts
           path: dist
 
       - name: Push build artifacts to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.4.2
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
           skip_existing: true
           user: __token__

diff --git a/pyproject.toml b/pyproject.toml
@@ -85,6 +85,7 @@ Issues = "https://github.com/hamcrest/PyHamcrest/issues"
 
 [tool.hatch.version]
 source = "vcs"
+raw_options = { local_scheme = "no-local-version" }
 
 [tool.hatch.build.hooks.vcs]
 version-file = "src/hamcrest/_version.py"