Merge pull request #113 from smkent/pypi

Configure PyPI trusted publishing

Author: smkent

tests/test_template.py

@@ -132,7 +132,7 @@ def test_rendered_project(
         cd_data = yaml.safe_load(f.read())
     assert ci_data["env"]["ENABLE_COVERAGE"] == enable_coverage
     assert cd_data["env"]["ENABLE_PYPI_PUBLISH"] == enable_pypi_publish
-    assert cd_data["env"]["ENABLE_TEST_PYPI_PUBLISH"] == enable_pypi_publish
+    assert cd_data["env"]["ENABLE_TEST_PYPI_PUBLISH"] is False
 
     assert not (
         subprocess.check_output(

{{cookiecutter.project_name}}/.github/workflows/cd.yml

@@ -3,22 +3,26 @@ name: Release
 
 env:
   ENABLE_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
-  ENABLE_TEST_PYPI_PUBLISH: {{ "true" if cookiecutter.enable_pypi_publish|lower == "yes" else "false" }}
+  ENABLE_TEST_PYPI_PUBLISH: false
   RELEASE_PYTHON_VERSION: "3.12"
   RELEASE_POETRY_VERSION: "2.0"
 
 on:
   push:
     tags:
       - '*'
-  workflow_dispatch:
 
 jobs:
   Publish:
     name: Publish package for ${{ "{{" }} github.ref_name }}
 
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/{{ cookiecutter.project_name }}
+    permissions:
+      id-token: write
 
     steps:
       - name: 💾 Check out repository
@@ -49,15 +53,12 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ "{{" }} env.ENABLE_TEST_PYPI_PUBLISH == 'true' }}
         with:
-          password: ${{ "{{" }} secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
 
       - name: ☢️ Publish to PyPI
         if: ${{ "{{" }} env.ENABLE_PYPI_PUBLISH == 'true' }}
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ "{{" }} secrets.PYPI_API_TOKEN }}
 
 concurrency:
   group: ${{ "{{" }} github.workflow }}-${{ "{{" }} github.ref }}