From: Mike Bayer Date: Fri, 5 Jun 2026 16:35:35 +0000 (-0400) Subject: use trusted publishing for PyPI wheel uploads X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=24a9c35bed5d883118d57e92409cb732292bae22;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git use trusted publishing for PyPI wheel uploads Replace token-based PyPI authentication with OIDC trusted publishing. Add workflow-level id-token: write permission, generate PEP 740 attestations using pypi-attestations, and upload with twine --attestations. Removes the pypi_token secret dependency. Closes: #13324 Change-Id: I75d8eab7ade7be61ed86d773ea2403cd484c81dd --- diff --git a/.github/workflows/create-wheels.yaml b/.github/workflows/create-wheels.yaml index 376837920c..4730258ab7 100644 --- a/.github/workflows/create-wheels.yaml +++ b/.github/workflows/create-wheels.yaml @@ -8,6 +8,10 @@ on: # branches: # - "go_wheel_*" +permissions: + id-token: write + contents: read + # env: # # comment TWINE_REPOSITORY_URL to use the real pypi. NOTE: change also the secret used in TWINE_PASSWORD # TWINE_REPOSITORY_URL: https://test.pypi.org/legacy/ @@ -99,7 +103,7 @@ jobs: # PYTHONNOUSERSITE: "1" - - name: Set up Python for twine and pure-python wheel + - name: Set up Python for pure-python wheel uses: actions/setup-python@v6 with: python-version: "3.14" @@ -124,14 +128,12 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} files: './wheelhouse/*.whl' + - name: Generate attestations + run: | + pip install pypi-attestations + python -m pypi_attestations sign ./wheelhouse/* + - name: Publish wheel - # the action https://github.com/marketplace/actions/pypi-publish runs only on linux and we cannot specify - # additional options - env: - TWINE_USERNAME: __token__ - # replace TWINE_PASSWORD with token for real pypi - # TWINE_PASSWORD: ${{ secrets.test_pypi_token }} - TWINE_PASSWORD: ${{ secrets.pypi_token }} run: | - python -m pip install -U twine - twine upload --skip-existing ./wheelhouse/* + pip install "twine>=6.2.0" + twine upload --skip-existing --attestations ./wheelhouse/*