Merge pull request #921 from mandiant/trusted-publishing

Trusted publishing
mandiant · Dec 12, 2023 · 494372c · 494372c
2 parents 1765846 + 1f9a25e
commit 494372c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 17 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,17 +1,21 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
+# use PyPI trusted publishing, as described here: 
+# https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
 name: publish to pypi
 
 on:
   release:
     types: [published]
-    branches: [master]
+
+permissions:
+  contents: write
 
 jobs:
-  deploy:
-    runs-on: ubuntu-20.04
-    # Pin action version by commit hash to maximize trust, ref: https://securitylab.github.com/research/github-actions-building-blocks/
+  pypi-publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Set up Python
@@ -21,11 +25,17 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install setuptools wheel twine
-      - name: Build and publish
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+          pip install -e .[build]
+      - name: build package
         run: |
-          python setup.py sdist bdist_wheel
-          twine upload --skip-existing dist/*
+          python -m build
+      - name: upload package artifacts
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          path: dist/*
+      - name: publish package
+        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
+        with:
+          skip-existing: true
+          verbose: true
+          print-hash: true
diff --git a/setup.py b/setup.py
@@ -71,9 +71,7 @@
             "types-PyYAML==6.0.10",
             "types-tabulate==0.9.0.3",
         ],
-        "build": [
-            "pyinstaller==6.3.0",
-        ],
+        "build": ["pyinstaller==6.3.0", "setuptools==69.0.2", "build==1.0.3"],
     },
     zip_safe=False,
     keywords="floss malware analysis obfuscation strings FLARE",