From 408351b5006c062bfd0ca36e7a750edbb7c751a3 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 14:11:16 -0600 Subject: [PATCH 1/2] CI: Add dependabot config for GitHub Actions This should help keep GitHub Actions versions up-to-date. --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9c02663 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 + +updates: + # Update GitHub Actions versions in workflows + - package-ecosystem: "github-actions" + # Workflow files stored in the + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "weekly" + allow: + - dependency-type: all + open-pull-requests-limit: 10 + pull-request-branch-name: + separator: "-" + commit-message: + prefix: "CI: " + include: "scope" From 5f875d32eccc13cbc3cf1ffa0735cd07a839f7e8 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Mon, 24 Apr 2023 14:09:58 -0600 Subject: [PATCH 2/2] CI: Switch to PyPI trusted publisher This replaces using a fixed secret API token that is attached to a single user. --- .github/workflows/release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe5675f..4a0a777 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,6 +38,8 @@ jobs: environment: name: PyPI url: https://pypi.org/project/python-awips/ + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing runs-on: ubuntu-latest steps: - name: Download packages @@ -47,7 +49,4 @@ jobs: name: artifact - name: Publish Package - uses: pypa/gh-action-pypi-publish@v1.4.2 - with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} + uses: pypa/gh-action-pypi-publish@v1.12.4