Update PyPI release to trusted publishing (#1752)

Author: mkrnr

.github/workflows/ci.yml

@@ -1014,6 +1014,9 @@ jobs:
     name: Release
     environment: release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     needs: [analyze, test_linux, test_macos, test_windows, test_python_latest_supported, test_python_312, test_python_311, test_python_310, test_qt_gui, test_packaging, test_code_quality, build_linux, build_macos, build_windows]
     if: >-
       !cancelled()
@@ -1059,15 +1062,16 @@ jobs:
           RELEASE_VERSION: ${{ needs.test_packaging.outputs.version }}
         run: publish_github_release
 
-      - name: Publish PyPI release
+      - name: Collect Python distributions for PyPI
+        run: |
+          mkdir -p dist/pypi
+          cp dist/Source/*.tar.gz dist/pypi/
+          cp dist/Wheel/*.whl dist/pypi/
+
+      - name: Publish release to PyPI (Trusted Publishing)
         if: needs.analyze.outputs.release_type == 'tagged'
-        env:
-          TWINE_NON_INTERACTIVE: 1
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-          # Optional: twine will fallback to default if empty.
-          TWINE_REPOSITORY_URL: ${{ secrets.PYPI_URL }}
-        run: publish_pypi_release
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/pypi
+          skip-existing: true
   # }}}
-
-# vim: foldmethod=marker foldlevel=0

.github/workflows/ci/helpers.sh

@@ -190,11 +190,6 @@ EOF
     "$tag" "${assets[@]}"
 }
 
-publish_pypi_release()
-{
-  run "$python" -m twine upload dist/Source/* dist/Wheel/*
-}
-
 analyze_set_release_info()
 {
   info "GITHUB_REF: $GITHUB_REF"

.github/workflows/ci/workflow_generate.py

@@ -86,6 +86,9 @@ def fetch_anchor(self):
     )
     fp.write(workflow)
 
+    # Ensure the generated file ends with a trailing newline.
+    fp.write("\n")
+
 # And try parsing it to check it's valid YAML,
 # and ensure anchors/aliases are not used.
 GithubActionsYamlLoader(workflow).get_single_data()

.github/workflows/ci/workflow_template.yml

@@ -274,6 +274,9 @@ jobs:
     name: Release
     environment: release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     needs: [analyze, <@ jobs|join(', ', attribute='id') @>]
     if: >-
       !cancelled()
@@ -309,15 +312,16 @@ jobs:
           RELEASE_VERSION: ${{ needs.test_packaging.outputs.version }}
         run: publish_github_release
 
-      - name: Publish PyPI release
+      - name: Collect Python distributions for PyPI
+        run: |
+          mkdir -p dist/pypi
+          cp dist/Source/*.tar.gz dist/pypi/
+          cp dist/Wheel/*.whl dist/pypi/
+
+      - name: Publish release to PyPI (Trusted Publishing)
         if: needs.analyze.outputs.release_type == 'tagged'
-        env:
-          TWINE_NON_INTERACTIVE: 1
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-          # Optional: twine will fallback to default if empty.
-          TWINE_REPOSITORY_URL: ${{ secrets.PYPI_URL }}
-        run: publish_pypi_release
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/pypi
+          skip-existing: true
   # }}}
-
-# vim: foldmethod=marker foldlevel=0