Use pypa/gh-action-pypi-publish to deploy

This allows publishing of digital attestations during deployment, increasing supply chain security.
adang1345 · Nov 18, 2024 · 9c6cb0d · 9c6cb0d
1 parent c97141e
commit 9c6cb0d
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -15,6 +15,8 @@ env:
 jobs:
   build_windows:
     runs-on: windows-2022
+    outputs:
+      DEPLOY: ${{ steps.build-and-install.outputs.DEPLOY }}
     steps:
       - name: check out repository
         uses: actions/checkout@v4
@@ -36,13 +38,14 @@ jobs:
 #          pip install pefile
 #          python scripts\find_library.py
       - name: build and install
+        id: build-and-install
         working-directory: ${{ github.workspace }}
         run: |
           pip install build
           python -m build
           pip install $(Get-ChildItem dist\delvewheel-*.whl)
           if ((git diff-tree --no-commit-id --name-only -r ${{ github.sha }} | Out-String).Contains("delvewheel/_version.py`r`n")) {
-            echo VERSION_CHANGED=1 | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+            echo DEPLOY=1 | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
           }
       - name: upload build artifacts
         uses: actions/upload-artifact@v4
@@ -89,9 +92,18 @@ jobs:
           source venv/bin/activate
           pip install ../dist/delvewheel-*.whl
           python run_tests.py -v LinuxTestCase
+  deploy:
+    if: needs.build_windows.outputs.DEPLOY == '1' && github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository_owner == 'adang1345'
+    needs: build_windows
+    name: deploy
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+    steps:
+      - name: download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: delvewheel
+          path: dist
       - name: deploy
-        if: env.VERSION_CHANGED == '1' && github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository_owner == 'adang1345'
-        working-directory: ${{ github.workspace }}
-        run: |
-          pip install twine
-          twine upload --skip-existing -u __token__ -p ${{ secrets.PYPI_TOKEN }} dist\*
+        uses: pypa/gh-action-pypi-publish@release/v1