Add trusted publishing (OIDC) (#1135)

* Add trusted publishing * Don't persist credentials in pypi.yml Ref: <https://woodruffw.github.io/zizmor/audits/#artipacked> * Don't attempt to publish from forks * Include more comments

Add trusted publishing (OIDC) (#1135)
d4a2b2bf · Ben Mares · GitHub · 091b6640 · d4a2b2bf
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -21,6 +21,10 @@ jobs:
  make_sdist:
    name: Make SDist
    runs-on: ubuntu-latest
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
    steps:
      - uses: actions/checkout@v4
        with:
@@ -31,6 +35,11 @@ jobs:
      - name: Build SDist
        run: pipx run build --sdist

+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*.tar.gz
+
      - uses: actions/upload-artifact@v4
        with:
          name: sdist
@@ -52,6 +61,10 @@ jobs:
  build_wheels:
    name: Build wheels for ${{ matrix.platform }}
    runs-on: ${{ matrix.platform }}
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
    strategy:
      matrix:
        platform:
@@ -67,6 +80,11 @@ jobs:
      - name: Build wheels
        uses: pypa/cibuildwheel@v2.22.0

+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./wheelhouse/*.whl
+
      - uses: actions/upload-artifact@v4
        with:
          name: wheels-${{ matrix.platform }}
@@ -75,6 +93,10 @@ jobs:
  build_universal_wheel:
    name: Build universal wheel for Pyodide
    runs-on: ubuntu-latest
+    permissions:
+      # write id-token and attestations are required to attest build provenance
+      id-token: write
+      attestations: write
    steps:
      - uses: actions/checkout@v4
        with:
@@ -93,6 +115,11 @@ jobs:
        run: |
          PYODIDE=1 python setup.py bdist_wheel --universal

+      - name: Attest GitHub build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*.whl
+
      - uses: actions/upload-artifact@v4
        with:
          name: universal_wheel
@@ -129,9 +156,16 @@ jobs:

  upload_pypi:
    name: Upload to PyPI on release
+    # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC)
+    # workflow by requiring signoff from a maintainer.
+    environment: release
+    permissions:
+      # write id-token is required for trusted publishing (OIDC)
+      id-token: write
    needs: [check_dist]
    runs-on: ubuntu-latest
-    if: github.event_name == 'release' && github.event.action == 'published'
+    # Don't publish from forks
+    if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published'
    steps:
      - uses: actions/download-artifact@v4
        with:
@@ -150,6 +184,4 @@ jobs:
          path: dist

      - uses: pypa/gh-action-pypi-publish@v1.12.2
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}
+        # Implicitly attests that the packages were uploaded in the context of this workflow.