diff --git a/.github/workflows/build-arm64-wheels.yml b/.github/workflows/build-arm64-wheels.yml index 661ea947..20b396d6 100644 --- a/.github/workflows/build-arm64-wheels.yml +++ b/.github/workflows/build-arm64-wheels.yml @@ -11,6 +11,10 @@ on: branches: - '**' +permissions: + contents: read + id-token: write + jobs: build_wheels: name: ARM64 Python Wheels on ARM64 Ubuntu @@ -67,25 +71,12 @@ jobs: pip install setuptools_rust pip install twine - - name: Test for secrets access - id: check_secrets - shell: bash - run: | - unset HAS_SECRET - if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi - echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT - env: - SECRET: "${{ secrets.test_pypi_password }}" - - name: publish (PyPi) - if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET - env: - TWINE_USERNAME: __token__ - TWINE_NON_INTERACTIVE: 1 - TWINE_PASSWORD: ${{ secrets.pypi_password }} - run: | - . ./activate - twine upload --non-interactive --skip-existing --verbose 'target/wheels/*' + if: startsWith(github.event.ref, 'refs/tags') + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: target/wheels/ + skip-existing: true - name: Clean up AMR64 if: startsWith(matrix.os, 'ARM64') diff --git a/.github/workflows/build-m1-wheel.yml b/.github/workflows/build-m1-wheel.yml index e2a7d015..6883d071 100644 --- a/.github/workflows/build-m1-wheel.yml +++ b/.github/workflows/build-m1-wheel.yml @@ -15,6 +15,10 @@ concurrency: group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}--${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/') || startsWith(github.ref, 'refs/heads/long_lived/')) && github.sha || '' }} cancel-in-progress: true +permissions: + contents: read + id-token: write + jobs: build_wheels: name: Build wheel on Mac M1 @@ -99,27 +103,14 @@ jobs: name: wheels path: ./target/wheels - - name: Test for secrets access - id: check_secrets - shell: bash - run: | - unset HAS_SECRET - if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi - echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT - env: - SECRET: "${{ secrets.test_pypi_password }}" - - name: Install twine run: | . ./venv/bin/activate arch -arm64 pip install twine - name: Publish distribution to PyPI - if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET - env: - TWINE_USERNAME: __token__ - TWINE_NON_INTERACTIVE: 1 - TWINE_PASSWORD: ${{ secrets.pypi_password }} - run: | - . ./venv/bin/activate - arch -arm64 twine upload --non-interactive --skip-existing --verbose 'target/wheels/*' + if: startsWith(github.event.ref, 'refs/tags') + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: target/wheels/ + skip-existing: true diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 24913bd9..171aa760 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -11,6 +11,10 @@ on: branches: - '**' +permissions: + contents: read + id-token: write + jobs: build_wheels: name: Wheel on ${{ matrix.os }} py-${{ matrix.python }} @@ -132,23 +136,12 @@ jobs: - name: Install Twine run: pip install twine - - name: Test for secrets access - id: check_secrets - shell: bash - run: | - unset HAS_SECRET - if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi - echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT - env: - SECRET: "${{ secrets.test_pypi_password }}" - - name: publish (PyPi) - if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET - env: - TWINE_USERNAME: __token__ - TWINE_NON_INTERACTIVE: 1 - TWINE_PASSWORD: ${{ secrets.pypi_password }} - run: twine upload --non-interactive --skip-existing --verbose 'target/wheels/*' + if: startsWith(github.event.ref, 'refs/tags') + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: target/wheels/ + skip-existing: true checks: runs-on: ubuntu-20.04