From e04e5403c6517ccb7bd3319643ffc13c295be766 Mon Sep 17 00:00:00 2001
From: Alan Malta Rodrigues <alan.malta@cern.ch>
Date: Wed, 7 Aug 2024 11:08:42 -0400
Subject: [PATCH] Update CD pipeline to used trusted publishers

---
 .github/workflows/pypi_build_and_images.yaml   |  2 --
 .../workflows/pypi_build_publish_template.yaml | 18 ++++++++----------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pypi_build_and_images.yaml b/.github/workflows/pypi_build_and_images.yaml
index 82d67e2c10..283add84cd 100644
--- a/.github/workflows/pypi_build_and_images.yaml
+++ b/.github/workflows/pypi_build_and_images.yaml
@@ -31,8 +31,6 @@ jobs:
     uses: ./.github/workflows/pypi_build_publish_template.yaml
     with:
       wmcore_component: ${{ matrix.target }}
-    secrets:
-      pypy_token: ${{ secrets.PYPY_PRODUCTION }}
 
   # second job, depends on build_and_publish_services, builds and upload
   # docker images to CERN registry
diff --git a/.github/workflows/pypi_build_publish_template.yaml b/.github/workflows/pypi_build_publish_template.yaml
index 4825192944..9b79156486 100644
--- a/.github/workflows/pypi_build_publish_template.yaml
+++ b/.github/workflows/pypi_build_publish_template.yaml
@@ -6,17 +6,18 @@ on:
       wmcore_component:
         required: true
         type: string
-    secrets:
-      pypy_token:
-        required: true
 
 jobs:
   build_and_publish_from_template:
     runs-on: ubuntu-latest
+    environment:
+      name: production
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup python 3.8
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v5
         with:
           python-version: "3.8"
       - name: Upgrade pip3
@@ -30,9 +31,6 @@ jobs:
           cp requirements.txt requirements.wmcore.txt
           awk "/(${{ inputs.wmcore_component }}$)|(${{ inputs.wmcore_component }},)/ {print \$1}" requirements.wmcore.txt > requirements.txt
       - name: Build sdist
-        run: python setup.py clean sdist
-      - name: Publish component
+        run: python3 setup.py clean sdist
+      - name: Upload package distribution to PyPi
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.pypy_token }}