fix: Escape release tag body and change PyPi to use trusted publisher…

… for authentication.
firebase · Jan 19, 2024 · 0a37c87 · 0a37c87
1 parent 2376584
commit 0a37c87
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/.github/scripts/publish_preflight_check.sh b/.github/scripts/publish_preflight_check.sh
@@ -173,7 +173,7 @@ echo "$CHANGELOG"
 # and https://github.com/github/docs/issues/21529#issue-1418590935
 FILTERED_CHANGELOG=`echo "$CHANGELOG" | grep -v "\\[INFO\\]"`
 echo "changelog<<CHANGELOGEOF" >> $GITHUB_OUTPUT
-echo "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
+echo -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT
 echo "CHANGELOGEOF" >> $GITHUB_OUTPUT
 
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -92,6 +92,11 @@ jobs:
       startsWith(github.event.pull_request.title, '[chore] Release ')
 
     runs-on: ubuntu-latest
+    permissions:
+      # Used to create a short-lived OICD token which is given to PyPi to identify this workflow job
+      # See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      # and https://docs.pypi.org/trusted-publishers/using-a-publisher/
+      id-token: write
 
     steps:
     - name: Checkout source for publish
@@ -116,10 +121,7 @@ jobs:
             --notes "${{ steps.preflight.outputs.changelog }}"
 
     - name: Publish to Pypi
-      uses: pypa/[email protected]
-      with:
-        user: firebase
-        password: ${{ secrets.PYPI_PASSWORD }}
+      uses: pypa/gh-action-pypi-publish@release/v1
 
     # Post to Twitter if explicitly opted-in by adding the label 'release:tweet'.
     - name: Post to Twitter