Use Trusted Publishing (#806)

JelleZijlstra · web-flow · commit 121d19209d8f · 2024-08-07T07:08:52.000-07:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,24 +3,33 @@
 
 name: Publish Python distributions to PyPI
 
-on: push
+on:
+  release:
+    types: [published]
+  push:
+    branches: [master]
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
-  build-n-publish:
+  build:
     name: Build and publish Python distributions to PyPI
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.x"
       - name: Install pypa/build
         run: >-
-          python -m
-          pip install
-          build
-          --user
+          python -m pip install --upgrade build
       - name: Build a binary wheel and a source tarball
         run: >-
           python -m
@@ -29,8 +38,28 @@ jobs:
           --wheel
           --outdir dist/
           .
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish:
+    name: Publish distribution to PyPI
+    if: github.event_name == 'release'
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    environment:
+      name: publish
+      url: https://pypi.org/p/pyanalyze
+    permissions:
+      id-token: write
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
       - name: Publish distribution to PyPI
-        if: startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Version 0.13.1 (August 7, 2024)
+
+- Use Trusted Publishing to publish releases (#806)
+
 ## Version 0.13.0 (August 7, 2024)
 
 - Flag use of generators that are immediately discarded (#800)
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 
 from setuptools import setup
 
-version = "0.13.0"
+version = "0.13.1"
 package_data = ["test.toml", "stubs/*/*.pyi"]
 
 
