Move back to tokens

virtuald · virtuald · commit 15c03259ce35 · 2023-11-01T00:58:12.000-04:00
- Reusable workflows can't use trusted publishing yet: pypa/gh-action-pypi-publish#166
diff --git a/.github/workflows/package-ci.yml b/.github/workflows/package-ci.yml
@@ -41,12 +41,6 @@ on:
         default: 'main'
         type: string
     secrets:
-      SSH_USER:
-        description: User to SFTP as
-      SSH_KEY:
-        description: Private key
-      SSH_PASSPHRASE:
-        description: Decryption passphrase for private key
       META_REPO_ACCESS_TOKEN:
         description: Token to use to trigger bump workflow on robotpy-meta
       RTD_TOKEN:
@@ -57,6 +51,8 @@ on:
         description: Username to upload to artifactory
       WPI_ARTIFACTORY_TOKEN:
         description: Token to use to upload to artifactory
+      PYPI_API_TOKEN:
+        description: Token to publish the package to PyPI
 
 concurrency:
   group: ${{ github.ref }}
@@ -282,8 +278,6 @@ jobs:
   publish-pypi:
     runs-on: ubuntu-latest
     needs: [check, build, cross-build]
-    permissions:
-      id-token: write
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
 
     steps:
@@ -335,7 +329,9 @@ jobs:
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        verify-metadata: false
+        user: __token__
+        password: ${{ secrets.PYPI_API_TOKEN }}
+        verify_metadata: false
 
   ping-rtd:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/package-hal-extension.yml b/.github/workflows/package-hal-extension.yml
@@ -6,6 +6,8 @@ on:
     secrets:
       META_REPO_ACCESS_TOKEN:
         description: Token to use to trigger bump workflow on robotpy-meta
+      PYPI_API_TOKEN:
+        description: Token to publish the package to PyPI
 
 
 jobs:
@@ -86,7 +88,9 @@ jobs:
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        verify-metadata: false
+        user: __token__
+        password: ${{ secrets.PYPI_API_TOKEN }}
+        verify_metadata: false
 
     # - uses: robotpy/build-actions/ping-meta@v2024
     #   with:
diff --git a/.github/workflows/package-pure.yml b/.github/workflows/package-pure.yml
@@ -12,6 +12,8 @@ on:
     secrets:
       META_REPO_ACCESS_TOKEN:
         description: Token to use to trigger bump workflow on robotpy-meta
+      PYPI_API_TOKEN:
+        description: Token to publish the package to PyPI
 
 
 jobs:
@@ -95,7 +97,9 @@ jobs:
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        verify-metadata: false
+        user: __token__
+        password: ${{ secrets.PYPI_API_TOKEN }}
+        verify_metadata: false
 
     # - uses: robotpy/build-actions/ping-meta@v2024
     #   with:
