ci(release): migrate to PyPI trusted publishing

2025-05-05 15:32:54 +00:00 · 2025-04-25 11:24:06 +02:00 · 2025-04-25 11:24:06 +02:00 · 25647ccd1e
commit 25647ccd1e
parent 5657ab64f9
2 changed files with 81 additions and 35 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -4,7 +4,6 @@ on:
  pull_request:
  push:
    branches: [master]
-    tags: ["*"]
  workflow_dispatch:
    inputs:
      pytest_addopts:
@ -115,37 +114,3 @@ jobs:

      # Run tests
      - run: devenv test
-
-  publish:
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-    needs:
-      - build
-      - flake-check
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # Needs all tags to compute dynamic version
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.UV_VERSION }}
-          enable-cache: "true"
-          cache-suffix: "3.13"
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.13"
-      - name: Build dist
-        run: uv build
-      - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          user: __token__
-          password: ${{ secrets.test_pypi_token_copier }}
-          repository_url: https://test.pypi.org/legacy/
-      - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_token_copier }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,81 @@
+name: release
+
+on:
+  push:
+    tags: ["*"]
+
+env:
+  # renovate: datasource=pypi depName=uv
+  UV_VERSION: "0.6.16"
+
+jobs:
+  build:
+    name: Build project for distribution
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: ${{ env.UV_VERSION }}
+
+      - name: Build project for distribution
+        run: uv build
+
+      - name: Upload artifact containing distribution files
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+          if-no-files-found: error
+
+  publish-test:
+    name: Publish package distributions to test.pypi.org
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: startsWith(github.ref, 'refs/tags/')
+    environment:
+      name: pypi-test
+      url: https://test.pypi.org/p/copier
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download artifact containing distribution files
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Upload package distributions
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/
+          repository-url: https://test.pypi.org/legacy/
+
+  publish:
+    name: Publish package distributions to pypi.org
+    runs-on: ubuntu-latest
+    needs: [publish-test]
+    if: startsWith(github.ref, 'refs/tags/')
+    environment:
+      name: pypi
+      url: https://pypi.org/p/copier
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download artifact containing distribution files
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Upload package distributions
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/