Skip to content

Commit d1eecde

Browse files
cjlyonscjlyons
committed
feat: use trusted publishers instead of access tokens
1 parent dcd035c commit d1eecde

5 files changed

Lines changed: 32 additions & 29 deletions

File tree

.github/workflows/cd.yml

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,9 @@ jobs:
116116
needs: validate
117117
if: github.event_name == 'workflow_dispatch' && github.event.inputs.publish-prerelease == 'true'
118118
environment: prerelease
119+
permissions:
120+
contents: read
121+
id-token: write
119122

120123
steps:
121124
- name: Checkout code
@@ -138,7 +141,7 @@ jobs:
138141
- name: Install Python build tools
139142
run: |
140143
python -m pip install --upgrade pip
141-
pip install build twine
144+
pip install build
142145
143146
- name: Get version and create pre-release tag
144147
id: version
@@ -163,16 +166,12 @@ jobs:
163166
164167
- name: Publish TypeScript to npm (next tag)
165168
working-directory: packages/flarelette-jwt-ts
166-
run: npm publish --tag next --access public
167-
env:
168-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
169+
run: npm publish --provenance --tag next --access public
169170

170171
- name: Publish Python to PyPI (with pre-release classifier)
171-
working-directory: packages/flarelette-jwt-py
172-
run: python -m twine upload dist/*
173-
env:
174-
TWINE_USERNAME: __token__
175-
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
172+
uses: pypa/gh-action-pypi-publish@release/v1
173+
with:
174+
packages-dir: packages/flarelette-jwt-py/dist/
176175

177176
- name: Summary
178177
run: |

.github/workflows/manual-publish.yml

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ jobs:
2323
publish-npm:
2424
runs-on: ubuntu-latest
2525
if: ${{ github.event.inputs.package == 'typescript' || github.event.inputs.package == 'both' }}
26+
permissions:
27+
contents: read
28+
id-token: write
2629

2730
steps:
2831
- name: Checkout code
@@ -44,13 +47,14 @@ jobs:
4447

4548
- name: Publish to npm
4649
working-directory: packages/flarelette-jwt-ts
47-
run: npm publish --access public
48-
env:
49-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
50+
run: npm publish --provenance --access public
5051

5152
publish-pypi:
5253
runs-on: ubuntu-latest
5354
if: ${{ github.event.inputs.package == 'python' || github.event.inputs.package == 'both' }}
55+
permissions:
56+
contents: read
57+
id-token: write
5458

5559
steps:
5660
- name: Checkout code
@@ -66,7 +70,7 @@ jobs:
6670
- name: Install build tools
6771
run: |
6872
python -m pip install --upgrade pip
69-
pip install build twine
73+
pip install build
7074
7175
- name: Build Python package
7276
working-directory: packages/flarelette-jwt-py
@@ -75,8 +79,6 @@ jobs:
7579
python -m build
7680
7781
- name: Publish to PyPI
78-
working-directory: packages/flarelette-jwt-py
79-
run: python -m twine upload dist/*
80-
env:
81-
TWINE_USERNAME: __token__
82-
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
82+
uses: pypa/gh-action-pypi-publish@release/v1
83+
with:
84+
packages-dir: packages/flarelette-jwt-py/dist/

.github/workflows/release.yml

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,9 @@ jobs:
3131
needs: release-please
3232
runs-on: ubuntu-latest
3333
if: ${{ needs.release-please.outputs.ts_release_created }}
34+
permissions:
35+
contents: read
36+
id-token: write
3437

3538
steps:
3639
- name: Checkout code
@@ -50,14 +53,15 @@ jobs:
5053

5154
- name: Publish to npm
5255
working-directory: packages/flarelette-jwt-ts
53-
run: npm publish --access public
54-
env:
55-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
56+
run: npm publish --provenance --access public
5657

5758
publish-pypi:
5859
needs: release-please
5960
runs-on: ubuntu-latest
6061
if: ${{ needs.release-please.outputs.py_release_created }}
62+
permissions:
63+
contents: read
64+
id-token: write
6165

6266
steps:
6367
- name: Checkout code
@@ -71,7 +75,7 @@ jobs:
7175
- name: Install build tools
7276
run: |
7377
python -m pip install --upgrade pip
74-
pip install build twine
78+
pip install build
7579
7680
- name: Build Python package
7781
working-directory: packages/flarelette-jwt-py
@@ -80,8 +84,6 @@ jobs:
8084
python -m build
8185
8286
- name: Publish to PyPI
83-
working-directory: packages/flarelette-jwt-py
84-
run: python -m twine upload dist/*
85-
env:
86-
TWINE_USERNAME: __token__
87-
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
87+
uses: pypa/gh-action-pypi-publish@release/v1
88+
with:
89+
packages-dir: packages/flarelette-jwt-py/dist/

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -288,7 +288,7 @@ The project uses automated releases via [release-please](https://github.com/goog
288288

289289
See **[RELEASING.md](RELEASING.md)** for detailed release process and **[RELEASE_CHECKLIST.md](RELEASE_CHECKLIST.md)** for setup.
290290

291-
**For maintainers:** Ensure `NPM_TOKEN` and `PYPI_TOKEN` secrets are configured in repository settings.
291+
**For maintainers:** Configure npm and PyPI trusted publishing for this repository/workflow (GitHub OIDC). `NPM_TOKEN` and `PYPI_TOKEN` secrets are not required.
292292

293293
## Questions?
294294

packages/CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -288,7 +288,7 @@ The project uses automated releases via [release-please](https://github.com/goog
288288

289289
See **[RELEASING.md](RELEASING.md)** for detailed release process and **[RELEASE_CHECKLIST.md](RELEASE_CHECKLIST.md)** for setup.
290290

291-
**For maintainers:** Ensure `NPM_TOKEN` and `PYPI_TOKEN` secrets are configured in repository settings.
291+
**For maintainers:** Configure npm and PyPI trusted publishing for this repository/workflow (GitHub OIDC). `NPM_TOKEN` and `PYPI_TOKEN` secrets are not required.
292292

293293
## Questions?
294294

0 commit comments

Comments
 (0)