Update to trusted publisher releases
Closed this issue · 1 comments
All stored secreted were cleared by the Scikit-HEP team due to a security threat that turned out to be a GitHub bug. It is recommended that Scikit-HEP projects move to trusted publisher releases instead of regenerating tokens. This requires telling PyPI about the GitHub details (repo location, ci job file, and environment), and setting up something like this (taken from https://learn.scientific-python.org/development/guides/gha-wheels/#publishing):
upload_all:
needs: [build_wheels, make_sdist]
environment: pypi
permissions:
id-token: write
runs-on: ubuntu-latest
if: github.event_name == 'release' && github.event.action == 'published'
steps:
- uses: actions/download-artifact@v4
with:
pattern: cibw-*
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@release/v1I'm not sure how this interacts with branch-based releases that are currently used. I think you might be able to just remove the "environment" field (and leave the field blank on PyPI) and it might just work (though be less secure and have fewer options for release approvals and such that GitHub environments provide).
done