Update release workflow to use Trusted Publishing (#2696)

pylint-dev · Mar 9, 2025 · 5512bf2 · 5512bf2
1 parent aad8e68
commit 5512bf2
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 12 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,12 +12,10 @@ permissions:
   contents: read
 
 jobs:
-  release-pypi:
-    name: Upload release to PyPI
+  build:
+    name: Build release assets
     runs-on: ubuntu-latest
-    environment:
-      name: PyPI
-      url: https://pypi.org/project/astroid/
+    if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
     steps:
       - name: Check out code from Github
         uses: actions/checkout@v4.1.7
@@ -31,15 +29,52 @@ jobs:
         run: |
           # Remove dist, build, and astroid.egg-info
           # when building locally for testing!
-          python -m pip install twine build
+          python -m pip install build
       - name: Build distributions
         run: |
           python -m build
+      - name: Upload release assets
+        uses: actions/upload-artifact@v4.6.1
+        with:
+          name: release-assets
+          path: dist/
+
+  release-pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: ["build"]
+    environment:
+      name: PyPI
+      url: https://pypi.org/project/astroid/
+    permissions:
+      id-token: write
+    steps:
+      - name: Download release assets
+        uses: actions/download-artifact@v4.1.9
+        with:
+          name: release-assets
+          path: dist/
       - name: Upload to PyPI
         if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
-        env:
-          TWINE_REPOSITORY: pypi
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: |
-          twine upload --verbose dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  release-github:
+    name: Upload assets to Github release
+    runs-on: ubuntu-latest
+    needs: ["build"]
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download release assets
+        uses: actions/download-artifact@v4.1.9
+        with:
+          name: release-assets
+          path: dist/
+      - name: Sign the dists with Sigstore and upload assets to Github release
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags')
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: |
+            ./dist/*.tar.gz
+            ./dist/*.whl
diff --git a/ChangeLog b/ChangeLog
@@ -19,6 +19,10 @@ Release date: TBA
   Closes #2686
   Closes pylint-dev/pylint#8589
 
+* Upload release assets to PyPI via Trusted Publishing.
+
+  Refs pylint-dev/pylint#10256
+
 
 What's New in astroid 3.3.8?
 ============================