Use PyPI action to publish package #186
Description
Switch to pypa/gh-action-pypi-publish for the publish to PyPI job in the CI workflow, instead of invocation of twine upload (via tox), using trusted publishing.
This adds build artefact attestations in the upload to PyPI. Trusted publishing (with attestations) means I can know for certain that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing (rather than having to manually review all of the installed files on each release).
See the Python packaging documentation, the PyPI documentation, and the official pypi-publish GitHub action documentation on trusted publishing.
In the release job of the CI workflow, you would add the environment and permissions (id-token: write), and replace the Install tox and Run steps with four steps (assuming you don't want to split the build into a separate step, with less permissions):
- install dependencies:
run: pip install build 'jaraco.develop >= 7.1 - build the package:
run: python -m build - the PyPI publish action:
uses: pypa/gh-action-pypi-publish@release/v1(noTWINE_PASSWORDenv needed) - create the GitHub release:
run: python -m jaraco.develop.create-github-releaseandenv: { GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} }
You'll need to configure an environment in PyPI and GitHub. You will be able to remove the PYPI_USERNAME project secret.
The release tox environment would not be used in CI anymore.