search

napari / napari-animation

A napari plugin for making animations
https://napari.github.io/napari-animation/
Other
76 stars 27 forks source link

Switch deploy method to use trusted publisher #211

Closed DragaDoncila closed 4 months ago

DragaDoncila commented 5 months ago

Right now we have a trusted publisher configured on PyPI but our deploy workflow still uses twine and its secret token to upload new releases.

We should update the workflow file to remove the use of twine in favour of the pypa/gh-action-pypi-publish@release action as described here.

GenevieveBuckley commented 4 months ago

Three things need to happen:

  1. Add a trusted publisher to our existing PyPI project (or you can create a new PyPI project with a trusted publisher).
  2. Merge a PR updating .github/workflows/release_drafter.yml. The deploy job needs to be given id-token: write permissions, and changed to use the pypa/gh-action-pypi-publish action (see example here).
  3. Delete the old PyPI API tokens, from both PyPI and the GitHub repository secrets settings.

I can make a PR for (2), but do not have access to do (1) and (3). Someone else will have to do those.