ci: use trusted pypi publisher

Signed-off-by: aarnphm-ec2-dev <29749331+aarnphm@users.noreply.github.com>
2026-03-10 19:22:10 -04:00 · 2023-07-07 07:18:13 +00:00
parent fb849a384e
commit d3e4b95e84
3 changed files with 20 additions and 20 deletions
--- a/.github/actions/release.sh
+++ b/.github/actions/release.sh
@@ -83,11 +83,7 @@ towncrier build --yes --version "${RELEASE_VERSION}" && git add CHANGELOG.md cha
 git add src/openllm/__about__.py package.json && git commit -S -sm "infra: prepare for release ${RELEASE_VERSION} [generated]"
 git push origin main

-echo "Building artifacts for releasing..." && hatch build
-
-echo "Releasing version ${RELEASE_VERSION}" && hatch publish
-
-echo "Releasing tag ${RELEASE_VERSION}..." && git tag -a "v${RELEASE_VERSION}" -sm "Release ${RELEASE_VERSION} [generated by tools/release]"
+echo "Releasing tag ${RELEASE_VERSION}..." && git tag -a "v${RELEASE_VERSION}" -sm "Release ${RELEASE_VERSION} [generated by GitHub Actions]"
 git push origin "v${RELEASE_VERSION}"

 echo "Finish releasing version ${RELEASE_VERSION}"
--- a/.github/workflows/create-releases.yml
+++ b/.github/workflows/create-releases.yml
@@ -25,13 +25,6 @@ on:
          - major
          - minor
          - patch
-env:
-  # This special value tells pypi that the user identity is supplied within the token
-  HATCH_INDEX_USER: __token__
-  # Note, the PYPI_API_TOKEN is for the OpenLLM PyPI user, on
-  # https://github.com/bentoml/openllm/settings/secrets/actions
-  HATCH_INDEX_AUTH: ${{ secrets.PYPI_API_TOKEN }}
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
 defaults:
  run:
    shell: bash --noprofile --norc -exo pipefail {0}
@@ -39,7 +32,6 @@ jobs:
  release:
    if: github.repository_owner == 'bentoml'
    runs-on: ubuntu-latest
-    environment: release
    permissions:
      contents: write
      id-token: write
@@ -88,10 +80,29 @@ jobs:
    needs: release
    name: Create binary/wheels distribution
    uses: bentoml/OpenLLM/.github/workflows/binary-releases.yml@main
+  publish-python:
+    if: github.repository_owner == 'bentoml' && github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
+    needs:
+      - binary-distribution
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download Python artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: python-artifacts
+          path: dist
+      - name: Push Python artifacts to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.8.7
+        with:
+          skip-existing: true
  prepare-for-dev-cycle:
    if: github.repository_owner == 'bentoml'
    needs:
      - release
+      - publish-python
      - binary-distribution
    name: Create release notes and setup for next cycle
    uses: bentoml/OpenLLM/.github/workflows/release-notes.yml@main
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -25,13 +25,6 @@ on:
      tags:
        required: true
        type: string
-env:
-  # This special value tells pypi that the user identity is supplied within the token
-  HATCH_INDEX_USER: __token__
-  # Note, the PYPI_API_TOKEN is for the OpenLLM PyPI user, on
-  # https://github.com/bentoml/openllm/settings/secrets/actions
-  HATCH_INDEX_AUTH: ${{ secrets.PYPI_API_TOKEN }}
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
 defaults:
  run:
    shell: bash --noprofile --norc -exo pipefail {0}