From 4218852e4f9aeb543970b7bb30c47c907de1c9b1 Mon Sep 17 00:00:00 2001
From: Brandon Butler <b.butler@chia.net>
Date: Thu, 17 Aug 2023 11:45:18 -0700
Subject: [PATCH] Switch to trusted publishing for pypi

---
 .github/workflows/build-arm64-wheels.yml | 27 ++++++++----------------
 .github/workflows/build-m1-wheel.yml     | 27 ++++++++----------------
 .github/workflows/build-test.yml         | 25 ++++++++--------------
 3 files changed, 27 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/build-arm64-wheels.yml b/.github/workflows/build-arm64-wheels.yml
index 661ea947..20b396d6 100644
--- a/.github/workflows/build-arm64-wheels.yml
+++ b/.github/workflows/build-arm64-wheels.yml
@@ -11,6 +11,10 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build_wheels:
     name: ARM64 Python Wheels on ARM64 Ubuntu
@@ -67,25 +71,12 @@ jobs:
         pip install setuptools_rust
         pip install twine
 
-    - name: Test for secrets access
-      id: check_secrets
-      shell: bash
-      run: |
-        unset HAS_SECRET
-        if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi
-        echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT
-      env:
-        SECRET: "${{ secrets.test_pypi_password }}"
-
     - name: publish (PyPi)
-      if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_NON_INTERACTIVE: 1
-        TWINE_PASSWORD: ${{ secrets.pypi_password }}
-      run: |
-        . ./activate
-        twine upload --non-interactive --skip-existing --verbose 'target/wheels/*'
+      if: startsWith(github.event.ref, 'refs/tags')
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: target/wheels/
+        skip-existing: true
 
     - name: Clean up AMR64
       if: startsWith(matrix.os, 'ARM64')
diff --git a/.github/workflows/build-m1-wheel.yml b/.github/workflows/build-m1-wheel.yml
index e2a7d015..6883d071 100644
--- a/.github/workflows/build-m1-wheel.yml
+++ b/.github/workflows/build-m1-wheel.yml
@@ -15,6 +15,10 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}--${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/') || startsWith(github.ref, 'refs/heads/long_lived/')) && github.sha || '' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build_wheels:
     name: Build wheel on Mac M1
@@ -99,27 +103,14 @@ jobs:
         name: wheels
         path: ./target/wheels
 
-    - name: Test for secrets access
-      id: check_secrets
-      shell: bash
-      run: |
-        unset HAS_SECRET
-        if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi
-        echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT
-      env:
-        SECRET: "${{ secrets.test_pypi_password }}"
-
     - name: Install twine
       run: |
         . ./venv/bin/activate
         arch -arm64 pip install twine
 
     - name: Publish distribution to PyPI
-      if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_NON_INTERACTIVE: 1
-        TWINE_PASSWORD: ${{ secrets.pypi_password }}
-      run: |
-        . ./venv/bin/activate
-        arch -arm64 twine upload --non-interactive --skip-existing --verbose 'target/wheels/*'
+      if: startsWith(github.event.ref, 'refs/tags')
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: target/wheels/
+        skip-existing: true
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 24913bd9..171aa760 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -11,6 +11,10 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build_wheels:
     name: Wheel on ${{ matrix.os }} py-${{ matrix.python }}
@@ -132,23 +136,12 @@ jobs:
     - name: Install Twine
       run: pip install twine
 
-    - name: Test for secrets access
-      id: check_secrets
-      shell: bash
-      run: |
-        unset HAS_SECRET
-        if [ -n "$SECRET" ]; then HAS_SECRET='true' ; fi
-        echo "HAS_SECRET=${HAS_SECRET}" >>$GITHUB_OUTPUT
-      env:
-        SECRET: "${{ secrets.test_pypi_password }}"
-
     - name: publish (PyPi)
-      if: startsWith(github.event.ref, 'refs/tags') && steps.check_secrets.outputs.HAS_SECRET
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_NON_INTERACTIVE: 1
-        TWINE_PASSWORD: ${{ secrets.pypi_password }}
-      run: twine upload --non-interactive --skip-existing --verbose 'target/wheels/*'
+      if: startsWith(github.event.ref, 'refs/tags')
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: target/wheels/
+        skip-existing: true
 
   checks:
     runs-on: ubuntu-20.04