Use `trusted publisher` for PyPI releases

pydata / pydata-sphinx-theme

A clean, three-column Sphinx theme with Bootstrap for the PyData community

https://pydata-sphinx-theme.readthedocs.io

BSD 3-Clause "New" or "Revised" License

561 stars 304 forks source link

Use `trusted publisher` for PyPI releases #1754

Closed trallard closed 3 months ago

trallard commented 3 months ago

We use the publish.yaml workflow for PST releases.

This still uses a token for this action, though trusted publishing is now encouraged over API tokens as a best practice on supported platforms (like GitHub).

To do this, we would need to:

[x] Update publish.yaml - I can do this
[x] Update the settings in the PyPI package to enable trusted publishers. I'm not sure who has access to this, but maybe @choldgraf (?).
[ ] Remove the existing token from GH

Ref: https://docs.pypi.org/trusted-publishers/adding-a-publisher/

choldgraf commented 3 months ago

@trallard I've invited you as an owner on pypi (and recommend we add other core maintainers in the same role as well)

drammock commented 3 months ago

Feel free to add me if you want, we use trusted publisher in MNE too so I'm familiar

trallard commented 3 months ago

Added you @drammock!

trallard commented 3 months ago

PR is up now at #1758; the only outstanding item is removing the existing tokens from GitHub itself. This is not something I can do with my current permissions/role, so this would be a task for someone else with elevated privileges.