refactor the publish pypi worlfow for trusted publisher

tdruez · tdruez · commit b53c739ff507 · 2026-03-11T14:45:44.000+13:00
Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
@@ -6,6 +6,9 @@ permissions:
   pull-requests: write
 
 on:
+  # pull_request_target is required so the action can close/comment on fork PRs.
+  # This is safe because: no untrusted code is checked out, and no attacker-controlled
+  # values are interpolated into shell commands. All action inputs are hardcoded.
   pull_request_target:
     types: [opened, reopened]
 
diff --git a/.github/workflows/publish-pypi-release.yml b/.github/workflows/publish-pypi-release.yml
@@ -1,15 +1,20 @@
-name: Build Python distributions and publish on PyPI
+name: Build Python distributions, publish on PyPI, and create a GH release
 
 on:
   workflow_dispatch:
   push:
     tags:
       - "v*.*.*"
 
+env:
+  PYPI_PROJECT_URL: "https://pypi.org/p/scancodeio"
+
 jobs:
-  build-and-publish:
-    name: Build and publish library to PyPI
+  build-python-dist:
+    name: Build Python distributions
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -23,26 +28,61 @@ jobs:
           python-version: 3.14
 
       - name: Install pypa/build
-        run: python -m pip install build==1.4.0 --user
+        run: python -m pip install build --user
 
       - name: Build a binary wheel and a source tarball
-        run: python -m build --sdist --wheel --outdir dist/ .
+        run: python -m build --sdist --wheel --outdir dist/
 
-      - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          name: python-package-distributions
+          path: dist/
 
-      - name: Upload built archives
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing — this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: ${{ env.PYPI_PROJECT_URL }}
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+
+  create-gh-release:
+    name: Create GitHub release
+    needs:
+      - build-python-dist
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download package distributions
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
-          name: pypi_archives
-          path: dist/*
+          name: python-package-distributions
+          path: dist/
 
-      - name: Create a GitHub release
-        uses: softprops/action-gh-release@v2
+      - name: Create GH release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
         with:
-          generate_release_notes: true
           draft: false
+          generate_release_notes: true
           files: dist/*
diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml
@@ -34,25 +34,25 @@ jobs:
 
       - name: Copy package-list.yml to workspace root
         run: |
-          FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1)
-          sudo mkdir -p ${GITHUB_WORKSPACE}/ort-data/
+          FILE=$(ls "${PROJECT_WORK_DIRECTORY}/output/"*.package-list.yml | head -n 1)
+          sudo mkdir -p "${GITHUB_WORKSPACE}/ort-data/"
           sudo cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml"
-          sudo chmod -R 777 ${GITHUB_WORKSPACE}/ort-data/
+          sudo chmod -R 777 "${GITHUB_WORKSPACE}/ort-data/"
           ls -lh "${GITHUB_WORKSPACE}/ort-data/"
 
       - name: Generates an ORT analyzer-result.yml file
         run: |
-          docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \
+          docker run --rm -v "${GITHUB_WORKSPACE}/ort-data:/data" \
             --entrypoint /opt/ort/bin/orth \
-            ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \
+            "ghcr.io/oss-review-toolkit/ort:${ORT_VERSION}" \
             create-analyzer-result-from-package-list \
               --package-list-file /data/package-list.yml \
               --ort-file /data/analyzer-result.yml
 
       - name: Report as CycloneDX and SPDX using the analyzer-result.yml file
         run: |
-          docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \
-          ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \
+          docker run --rm -v "${GITHUB_WORKSPACE}/ort-data:/data" \
+          "ghcr.io/oss-review-toolkit/ort:${ORT_VERSION}" \
           report \
             --ort-file /data/analyzer-result.yml \
             --output-dir /data/results/ \
