README: replace OIDC with "trusted publishing"

Also updates the link to reference the public documentation
for trusted publishing, rather than the PyPI short help
section (which also needs to be updated).

Signed-off-by: William Woodruff <william@trailofbits.com>
This commit is contained in:
William Woodruff 2023-04-03 21:26:53 +09:00
parent 69efb8cbfb
commit 4372cb5585
No known key found for this signature in database

View file

@ -65,17 +65,17 @@ settings page of your project on GitHub. See [Creating & using secrets].
### Publishing with OpenID Connect ### Publishing with OpenID Connect
> **IMPORTANT**: This functionality is in beta, and will not work for you > **IMPORTANT**: This functionality is in beta, and will not work for you
> unless you're a member of the PyPI OIDC beta testers' group. For more > unless you're a member of the PyPI trusted publishing beta testers' group.
> information, see [warehouse#12965]. > For more information, see [warehouse#12965].
This action supports PyPI's [OpenID Connect publishing] This action supports PyPI's [trusted publishing]
implementation, which allows authentication to PyPI without a manually implementation, which allows authentication to PyPI without a manually
configured API token or username/password combination. To perform configured API token or username/password combination. To perform
[OIDC publishing][OpenID Connect Publishing] with this action, your project's [trusted publishing] with this action, your project's
OIDC publisher must already be configured on PyPI. publisher must already be configured on PyPI.
To enter the OIDC flow, configure this action's job with the `id-token: write` To enter the trusted publishing flow, configure this action's job with the
permission and **without** an explicit username or password: `id-token: write` permission and **without** an explicit username or password:
```yaml ```yaml
jobs: jobs:
@ -83,7 +83,7 @@ jobs:
name: Upload release to PyPI name: Upload release to PyPI
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps: steps:
# retrieve your distributions here # retrieve your distributions here
@ -91,7 +91,7 @@ jobs:
uses: pypa/gh-action-pypi-publish@release/v1 uses: pypa/gh-action-pypi-publish@release/v1
``` ```
Other indices that support OIDC publishing can also be used, like TestPyPI: Other indices that support trusted publishing can also be used, like TestPyPI:
```yaml ```yaml
- name: Publish package distributions to TestPyPI - name: Publish package distributions to TestPyPI
@ -268,4 +268,4 @@ https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direc
https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md
[warehouse#12965]: https://github.com/pypi/warehouse/issues/12965 [warehouse#12965]: https://github.com/pypi/warehouse/issues/12965
[OpenID Connect Publishing]: https://pypi.org/help/#openid-connect [trusted publishing]: https://docs.pypi.org/trusted-publishers/