|
47 | 47 | run: python -m build |
48 | 48 |
|
49 | 49 | - name: Check distribution |
50 | | - run: | |
51 | | - twine check dist/* |
| 50 | + run: twine check dist/* |
52 | 51 |
|
53 | 52 | - name: Create Sigstore attestations for built distributions |
54 | 53 | uses: actions/attest@v1 |
@@ -87,39 +86,10 @@ jobs: |
87 | 86 | name: attestation-bundles |
88 | 87 | path: /tmp/attestation-bundles/ |
89 | 88 |
|
90 | | - - name: Mint PyPI API token |
91 | | - id: mint-token |
92 | | - uses: actions/github-script@v7 |
93 | | - with: |
94 | | - # language=JavaScript |
95 | | - script: | |
96 | | - // retrieve the ambient OIDC token |
97 | | - const oidc_request_token = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN; |
98 | | - const oidc_request_url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL; |
99 | | - const oidc_resp = await fetch(`${oidc_request_url}&audience=pypi`, { |
100 | | - headers: {Authorization: `bearer ${oidc_request_token}`}, |
101 | | - }); |
102 | | - const oidc_token = (await oidc_resp.json()).value; |
103 | | -
|
104 | | - // exchange the OIDC token for an API token |
105 | | - const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', { |
106 | | - method: 'post', |
107 | | - body: `{"token": "${oidc_token}"}` , |
108 | | - headers: {'Content-Type': 'application/json'}, |
109 | | - }); |
110 | | - const api_token = (await mint_resp.json()).token; |
111 | | -
|
112 | | - // mask the newly minted API token, so that we don't accidentally leak it |
113 | | - core.setSecret(api_token) |
114 | | - core.setOutput('api-token', api_token) |
115 | | -
|
116 | 89 | - name: Upload to PyPI |
117 | 90 | env: |
118 | 91 | TWINE_NON_INTERACTIVE: "true" |
119 | | - TWINE_USERNAME: "__token__" |
120 | | - TWINE_PASSWORD: "${{ steps.mint-token.outputs.api-token }}" |
121 | | - run: | |
122 | | - twine upload dist/* --attestations |
| 92 | + run: twine upload dist/* --attestations |
123 | 93 |
|
124 | 94 | github-release: |
125 | 95 | runs-on: ubuntu-latest |
|
0 commit comments