From c281341efe46c46d85f0fd41b9802585d92f65dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Mon, 3 Nov 2025 18:05:59 -0500 Subject: [PATCH 1/2] [DEVOPS-913] grant access to id-token for OIDC --- .github/workflows/reusable-python-publish_pypi_package.yml | 1 + .github/workflows/reusable-python-release_pypi_assets.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/reusable-python-publish_pypi_package.yml b/.github/workflows/reusable-python-publish_pypi_package.yml index 60c238a..b20682b 100644 --- a/.github/workflows/reusable-python-publish_pypi_package.yml +++ b/.github/workflows/reusable-python-publish_pypi_package.yml @@ -99,6 +99,7 @@ jobs: publish_package: name: Publish package permissions: + id-token: write contents: read runs-on: 'ubuntu-latest' timeout-minutes: 5 diff --git a/.github/workflows/reusable-python-release_pypi_assets.yml b/.github/workflows/reusable-python-release_pypi_assets.yml index 64e66b1..be2b470 100644 --- a/.github/workflows/reusable-python-release_pypi_assets.yml +++ b/.github/workflows/reusable-python-release_pypi_assets.yml @@ -35,6 +35,7 @@ jobs: publish_pypi_assets: name: Publish PyPI assets permissions: + id-token: write contents: write if: ${{ github.repository_owner == 'MiraGeoscience' }} runs-on: 'ubuntu-latest' From d41ba30923ca25ad50e2f0aaaf0f117fdbac8397 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Mon, 3 Nov 2025 18:21:46 -0500 Subject: [PATCH 2/2] [DEVOPS-913] do not pass password for PyPI OIDC --- .github/workflows/reusable-python-publish_pypi_package.yml | 4 ---- .github/workflows/reusable-python-release_pypi_assets.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/.github/workflows/reusable-python-publish_pypi_package.yml b/.github/workflows/reusable-python-publish_pypi_package.yml index b20682b..27254cb 100644 --- a/.github/workflows/reusable-python-publish_pypi_package.yml +++ b/.github/workflows/reusable-python-publish_pypi_package.yml @@ -52,9 +52,6 @@ on: JFROG_ARTIFACTORY_TOKEN: description: 'JFrog Artifactory Token' required: true - PYPI_TOKEN: - description: 'PyPI Token' - required: false defaults: run: @@ -143,7 +140,6 @@ jobs: verbose: true packages-dir: ${{ env.build-dir-path }}/ repository-url: https://${{ matrix.virtual-repo-name == 'test-pypi' && 'test.pypi' || 'upload.pypi'}}.org/legacy/ - password: ${{ secrets.PYPI_TOKEN }} add_release_asset: name: Add release asset permissions: diff --git a/.github/workflows/reusable-python-release_pypi_assets.yml b/.github/workflows/reusable-python-release_pypi_assets.yml index be2b470..20ef0a9 100644 --- a/.github/workflows/reusable-python-release_pypi_assets.yml +++ b/.github/workflows/reusable-python-release_pypi_assets.yml @@ -23,9 +23,6 @@ on: JFROG_ARTIFACTORY_TOKEN: description: 'JFrog Artifactory Token' required: true - PYPI_TOKEN: - description: 'PyPI Token' - required: false defaults: run: @@ -75,4 +72,3 @@ jobs: verbose: true packages-dir: download-assets/ repository-url: https://${{ matrix.virtual-repo-name == 'test-pypi' && 'test.pypi' || 'upload.pypi'}}.org/legacy/ - password: ${{ secrets.PYPI_TOKEN }}