Revert "use OIDC for PyPI 🎉"

This reverts commit f23a477. Blocked by pypi/warehouse#11096.
mhils · Jun 13, 2023 · 531d64a · 531d64a
1 parent f23a477
commit 531d64a
Showing 1 changed file with 9 additions and 23 deletions.
diff --git a/.github/workflows/python-deploy.yml b/.github/workflows/python-deploy.yml
@@ -4,11 +4,11 @@
 #   uses: mhils/workflows/.github/workflows/python-deploy.yml@main
 #   needs: check
 #   if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-#   permissions:
-#     id-token: write
+#   secrets:
+#     password: ${{ secrets.PYPI_TOKEN }}
 
 permissions:
-  id-token: write
+  contents: read
 
 on:
   workflow_call:
@@ -19,11 +19,17 @@ on:
         type: string
       repository:
         type: string
+    secrets:
+      username:
+      password:
+        required: true
 
 jobs:
   deploy:
     environment: ${{ inputs.environment || 'deploy' }}
     env:
+      TWINE_USERNAME: ${{ secrets.username || '__token__' }}
+      TWINE_PASSWORD: ${{ secrets.password }}
       TWINE_REPOSITORY: ${{ inputs.repository || 'pypi' }}
     runs-on: ubuntu-latest
     steps:
@@ -34,24 +40,4 @@ jobs:
           name: ${{ inputs.artifact || 'wheels' }}
           path: dist/
       - run: twine check dist/*
-      - name: mint API token  # copied from https://docs.pypi.org/trusted-publishers/using-a-publisher/
-        id: mint-token
-        run: |
-          # retrieve the ambient OIDC token
-          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
-          oidc_token=$(jq '.value' <<< "${resp}")
-
-          # exchange the OIDC token for an API token
-          resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}")
-          api_token=$(jq '.token' <<< "${resp}")
-
-          # mask the newly minted API token, so that we don't accidentally leak it
-          echo "::add-mask::${api_token}"
-
-          # see the next step in the workflow for an example of using this step output
-          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
       - run: twine upload dist/*
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }}