Update CD pipeline to used trusted publishers

[amaltaro]

Fixes #11727

Status

ready

Description

With this PR, we move away from PyPi user/token authentication in our CD pipeline. Finally adopting (actually enabling) PyPI 2FA together with trusted publisher registration in the PyPi projects.

In addition, I have updated the version of a couple of GitHub actions.

Is it backward compatible (if not, which system it affects?)

YES

Related PRs

None

External dependencies / deployment changes

It does depend on configuring trusted publisher in all of the WMCore PyPi projects (under the account we use for publishing packages to PyPi).

Some references are: https://docs.pypi.org/trusted-publishers/ and https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

[cmsdmwmbot]

Jenkins results:

• Python3 Unit tests: succeeded
  • 1 tests no longer failing
  • 1 changes in unstable tests
• Python3 Pylint check: succeeded
• Pylint py3k check: succeeded
• Pycodestyle check: succeeded

Details at https://cmssdt.cern.ch/dmwm-jenkins/view/All/job/DMWM-WMCore-PR-test/15148/artifact/artifacts/PullRequestReport.html

[amaltaro]

Even though I have these changes tested in a playground repository, it could be that something will still fail, as workflows configuration are different.

I have just configured a trusted publisher in PyPi for all the projects currently defined in our CD pipeline, which I list in here as well:

        target: [wmagent, wmagent-devtools, wmcore, reqmon, reqmgr2, global-workqueue, acdcserver, reqmgr2ms-unmerged,
                 reqmgr2ms-output, reqmgr2ms-pileup, reqmgr2ms-rulecleaner, reqmgr2ms-transferor, reqmgr2ms-monitor]

And now, I am gonna give it a try without even bugging people for code review. Any feedback is welcomed though.

[amaltaro]

Wohooo, it works! https://github.com/dmwm/WMCore/actions/runs/10287262120