Use GitHub Action Trusted Publisher for PyPI publishing

- Remove "twine" dependency - Remove "publish" configuration from "tox" - Remove references to PyPI secrets
iqm-finland · Mar 4, 2024 · ccc4724 · ccc4724
1 parent f3959ef
commit ccc4724
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 37 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,18 +1,13 @@
-name: Upload to PyPI and publish documentation
+name: Upload package to PyPI and publish documentation
 
 on:
   release:
     types: [published]
   workflow_dispatch:
   workflow_call:
-    secrets:
-      PYPI_USER:
-        required: true
-      PYPI_PASSWORD:
-        required: true
 
 jobs:
-  push_to_pypi:
+  build:
     runs-on: ubuntu-latest
 
     steps:
@@ -26,14 +21,31 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          python -m pip install tox==4.11.4
-      - name: Build and publish
-        run: |
-          tox -e build
-          tox -e publish
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USER }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+          python -m pip install build==1.0.3
+      - name: Build distribution
+        run: python -m build
+      - name: Store distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          path: dist/
+
+  push_to_pypi:
+    runs-on: ubuntu-latest
+    needs:
+    - build
+    environment:
+      name: pypi
+      url: https://pypi.org/p/cirq-iqm
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download distribution packages
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+      - name: Publish distribution packages to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
 
   publish_docs:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/tag_and_release.yml b/.github/workflows/tag_and_release.yml
@@ -41,6 +41,3 @@ jobs:
   trigger_publishing:
     needs: create_tag_and_release
     uses: iqm-finland/cirq-on-iqm/.github/workflows/publish.yml@main
-    secrets:
-      PYPI_USER: ${{ secrets.PYPI_USER }}
-      PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,11 @@
 Changelog
 =========
 
+Version 13.2
+============
+
+* Use GitHub Action as a Trusted Publisher to publish packages to PyPI. `#127 <https://github.com/iqm-finland/cirq-on-iqm/pull/127>`_
+
 Version 13.1
 ============
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -33,7 +33,7 @@ changelog = "https://github.com/iqm-finland/cirq-on-iqm/blob/main/CHANGELOG.rst"
 
 [project.optional-dependencies]
 # Add here additional requirements for extra features, to install with:
-# `pip install cirq-iqm[dev,docs,testing,cicd]
+# `pip install cirq-iqm[dev,docs,testing]
 dev = [
     "tox == 4.11.4"
 ]
@@ -52,9 +52,6 @@ testing = [
     "pytest-mockito == 0.0.4",
     "pytest-pylint == 0.21.0"
 ]
-cicd = [
-    "twine ~= 4.0"
-]
 
 
 [tool.setuptools_scm]

diff --git a/tox.ini b/tox.ini
@@ -65,18 +65,3 @@ deps =
     build[virtualenv] == 1.0.3
 commands =
     python -m build
-
-[testenv:publish]
-description =
-    Publish the package you have been developing to a package index server.
-skip_install = True
-changedir = {toxinidir}
-deps =
-    twine == 4.0.2
-passenv =
-    TWINE_USERNAME
-    TWINE_PASSWORD
-    TWINE_REPOSITORY_URL
-commands =
-    python -m twine check dist/*
-    python -m twine upload --verbose dist/*