Merge pull request #944 from PowerGridModel/add-trusted-publisher-management-pypi

Add trusted publisher management in PyPI

Author: figueroa1395

.github/workflows/build-test-release.yml

@@ -13,11 +13,6 @@ on:
         type: boolean
         description: Create a (pre-)release when CI passes
         required: true
-    secrets:
-      PYPI_USER:
-        required: true
-      PYPI_PASS:
-        required: true
   # run this workflow manually from the Actions tab
   workflow_dispatch:
     inputs:
@@ -44,12 +39,13 @@ jobs:
           python-version: "3.12"
 
       - name: Set PyPI Version
-        run: |
-          pip install requests build
-          python set_pypi_version.py
+        uses: PowerGridModel/pgm-version-bump@main
 
       - name: Build SDist
-        run: python -m build --sdist --outdir wheelhouse .
+        run: |
+          cat PYPI_VERSION
+          pip install build
+          python -m build --sdist --outdir wheelhouse .
 
       - name: Keep version file
         uses: actions/upload-artifact@v4
@@ -283,16 +279,14 @@ jobs:
       - name: Test
         run: pytest
 
-  publish-wheels:
+  github-release:
+    name: Create and release assets to GitHub
     needs: [build-cpp-test-linux, build-cpp-test-windows, build-cpp-test-macos, build-and-test-python, build-and-test-conda]
     # always run publish job but fail at the first step if previous jobs have been failed
     if: always()
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     permissions:
       contents: write
-    env:
-      TWINE_USERNAME: ${{ secrets.PYPI_USER }}
-      TWINE_PASSWORD: ${{ secrets.PYPI_PASS }}
 
     steps:
       - name: Fail fast
@@ -329,14 +323,7 @@ jobs:
       - name: Display tag
         run: echo "${{ steps.tag.outputs.tag }}"
 
-      - name: Upload wheels
-        if: (inputs.create_release)
-        run: |
-          pip install twine
-          echo "Publish to PyPI..."
-          twine upload --verbose wheelhouse/*
-
-      - name: Release
+      - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         if: (inputs.create_release)
         with:

.github/workflows/ci.yml

@@ -43,9 +43,6 @@ jobs:
       # create_release becomes true if the event that triggered this workflow is "push" on main
       # otherwise create_release becomes false
       create_release: ${{ (github.event_name == 'workflow_dispatch' && inputs.create_release) || github.event_name == 'push'}}
-    secrets:
-      PYPI_USER: ${{ secrets.PYPI_USER }}
-      PYPI_PASS: ${{ secrets.PYPI_PASS }}
 
   check-code-quality:
     uses: "./.github/workflows/check-code-quality.yml"

.github/workflows/nightly.yml

@@ -21,9 +21,6 @@ jobs:
       contents: write
     with:
       create_release: false
-    secrets:
-      PYPI_USER: user
-      PYPI_PASS: pass
 
   check-code-quality:
     uses: "./.github/workflows/check-code-quality.yml"

.github/workflows/publish-pypi.yml

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: Contributors to the Power Grid Model project <powergridmodel@lfenergy.org>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write  # Required for Trusted Publishing
+
+jobs:
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download assets from GitHub release
+        uses: robinraju/release-downloader@v1
+        with:
+          repository: ${{ github.repository }}
+          # download the latest release
+          latest: true
+          # don't donwload pre-releases
+          preRelease: false
+          fileName: "*"
+          # don't download GitHub-generated source tar and zip files
+          tarBall: false
+          zipBall: false
+          # create a directory to store the downloaded assets
+          out-file-path: assets-to-publish
+          # don't extract downloaded files
+          extract: false
+
+      - name: List downloaded assets
+        run: ls -la assets-to-publish
+      
+      - name: Upload assets to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          # To test, use the TestPyPI:
+          # repository-url: https://test.pypi.org/legacy/
+          # You must also create an account and project on TestPyPI,
+          # as well as set the trusted-publisher in the project settings:
+          # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+          # To publish to the official PyPI repository, just keep
+          # repository-url commented out.
+          packages-dir: assets-to-publish
+          skip-existing: true
+          print-hash: true
+          verbose: true

pyproject.toml

@@ -20,15 +20,14 @@ authors = [
 ]
 description = "Python/C++ library for distribution power system analysis"
 readme = "README.md"
-license = { text = "MPL-2.0" }
+license = "MPL-2.0"
 classifiers = [
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: Implementation :: CPython",
     "Programming Language :: C++",
     "Development Status :: 5 - Production/Stable",
     "Intended Audience :: Developers",
     "Intended Audience :: Science/Research",
-    "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)",
     "Operating System :: Microsoft :: Windows",
     "Operating System :: POSIX :: Linux",
     "Operating System :: MacOS",