From f23a477e793f42de7d5635b6109a7ef8dbaeeaf1 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Tue, 13 Jun 2023 15:31:58 +0200
Subject: [PATCH] =?UTF-8?q?use=20OIDC=20for=20PyPI=20=F0=9F=8E=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/python-deploy.yml | 32 +++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/python-deploy.yml b/.github/workflows/python-deploy.yml
index 510bde5..79c0ba4 100644
--- a/.github/workflows/python-deploy.yml
+++ b/.github/workflows/python-deploy.yml
@@ -4,11 +4,11 @@
 #   uses: mhils/workflows/.github/workflows/python-deploy.yml@main
 #   needs: check
 #   if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-#   secrets:
-#     password: ${{ secrets.PYPI_TOKEN }}
+#   permissions:
+#     id-token: write
 
 permissions:
-  contents: read
+  id-token: write
 
 on:
   workflow_call:
@@ -19,17 +19,11 @@ on:
         type: string
       repository:
         type: string
-    secrets:
-      username:
-      password:
-        required: true
 
 jobs:
   deploy:
     environment: ${{ inputs.environment || 'deploy' }}
     env:
-      TWINE_USERNAME: ${{ secrets.username || '__token__' }}
-      TWINE_PASSWORD: ${{ secrets.password }}
       TWINE_REPOSITORY: ${{ inputs.repository || 'pypi' }}
     runs-on: ubuntu-latest
     steps:
@@ -40,4 +34,24 @@ jobs:
           name: ${{ inputs.artifact || 'wheels' }}
           path: dist/
       - run: twine check dist/*
+      - name: mint API token  # copied from https://docs.pypi.org/trusted-publishers/using-a-publisher/
+        id: mint-token
+        run: |
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+          oidc_token=$(jq '.value' <<< "${resp}")
+
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          api_token=$(jq '.token' <<< "${resp}")
+
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
+
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
       - run: twine upload dist/*
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }}