@@ -40,23 +40,29 @@ jobs:
4040 # for <package-name>
4141 url : https://pypi.org/p/<package-name>
4242 permissions :
43- id-token : write
43+ id-token : write # IMPORTANT: mandatory for trusted publishing
4444
4545 steps :
46- - name : Download all the dists
47- uses : actions/download-artifact@v3
48- with :
49- name : python-package-distributions
50- path : dist/
51- - name : Publish distribution 📦 to PyPI
52- uses : pypa/gh-action-pypi-publish@release/v1
46+ - name : Download all the dists
47+ uses : actions/download-artifact@v3
48+ with :
49+ name : python-package-distributions
50+ path : dist/
51+ - name : Publish distribution 📦 to PyPI
52+ uses : pypa/gh-action-pypi-publish@release/v1
5353
5454 github-release :
5555 name : >-
5656 Sign the Python 🐍 distribution 📦 with Sigstore
5757 and upload them to GitHub Release
5858needs :
5959 - publish-to-pypi
60+ runs-on : ubuntu-latest
61+
62+ permissions :
63+ contents : write # IMPORTANT: mandatory for making GitHub Releases
64+ id-token : write # IMPORTANT: mandatory for sigstore
65+
6066 steps :
6167 - name : Sign the dists with Sigstore
6268 uses : sigstore/gh-action-sigstore-python@v1.2.3
@@ -70,20 +76,22 @@ jobs:
7076 # created the release above.
7177 uses : softprops/action-gh-release@v1
7278 with :
73- # dist/ contains the built packages, which smoketest-artifacts/
74- # contains the signatures and certificates.
79+ # ` dist/` contains the built packages, and the
80+ # sigstore-produced signatures and certificates.
7581 files : dist/**
7682
7783 publish-to-testpypi :
7884 name : Publish Python 🐍 distribution 📦 to TestPyPI
7985 needs :
8086 - build
8187 runs-on : ubuntu-latest
88+
8289 environment :
8390 name : testpypi
8491 url : https://test.pypi.org/p/<package-name>
92+
8593 permissions :
86- id-token : write
94+ id-token : write # IMPORTANT: mandatory for trusted publishing
8795
8896 steps :
8997 - name : Download all the dists
0 commit comments