support Trusted Publishers
casperdcl opened this issue · 7 comments
password.required: falseregistry-domain.default: https://upload.pypi.org- if
passwordundefined, generate OIDC "password"audience=$(GET $INPUT_REGISTRY_DOMAIN/_/oidc/audience) oidc_token=$(GET $ACTIONS_ID_TOKEN_REQUEST_URL -d "$audience" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" | jq "{token: .value}") TWINE_PASSWORD=$(POST $INPUT_REGISTRY_DOMAIN/_/oidc/github/mint-token -d "$oidc_token" | jq -r .token)
references
- description: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers#using-trusted-publishing-with-github-actions
- implementation: https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/oidc-exchange.py
detect_github(audience) -> oidc_token: https://github.com/di/id/blob/main/id/_internal/oidc/ambient.py- GHA env vars: https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
Would a shell script be enough, or does it have to be pure Python?
curl --get "$ACTIONS_ID_TOKEN_REQUEST_URL" \
--header "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
--data $(curl "https://$REGISTRY_DOMAIN/_/oidc/audience") |
jq "{token: .value}" |
curl "https://$REGISTRY_DOMAIN/_/oidc/github/mint-token" --data @- |
jq --raw-output .valueNote that #17 (comment) is wrong, and $REGISTRY_DOMAIN is the host name of the registry; e.g. upload.pypi.org
shell script is the only thing supported1
Footnotes
-
https://github.com/casperdcl/deploy-pypi#why "Has the entirety of the code in a single file, making it very easy to review" ↩
looks like it's meant to be https://upload.pypi.org
shell script is the only thing supported
I asked because the only ™️ thing your shell script does is invoking the python executable in every conceivable way. Maybe you wanted something along the lines of python -c 'urllib ...' instead of curl and jq for this?
looks like it's meant to be https://upload.pypi.org
It also works with pypi.org but you're right; updated!