mirror of
https://github.com/pypa/gh-action-pypi-publish.git
synced 2024-11-22 16:41:07 -05:00
🎨 Show GH environments use in README examples
It is a useful protection feature giving the end-users more control over the release flow and trust.
This commit is contained in:
parent
3b6670b0bd
commit
7a1a355fb5
1 changed files with 4 additions and 0 deletions
|
@ -86,6 +86,9 @@ jobs:
|
||||||
pypi-publish:
|
pypi-publish:
|
||||||
name: Upload release to PyPI
|
name: Upload release to PyPI
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
environment:
|
||||||
|
name: pypi
|
||||||
|
url: https://pypi.org/p/<your-pypi-project-name>
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
|
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
|
||||||
steps:
|
steps:
|
||||||
|
@ -103,6 +106,7 @@ Other indices that support trusted publishing can also be used, like TestPyPI:
|
||||||
with:
|
with:
|
||||||
repository-url: https://test.pypi.org/legacy/
|
repository-url: https://test.pypi.org/legacy/
|
||||||
```
|
```
|
||||||
|
_(don't forget to update the environment name to `testpypi` or similar!)_
|
||||||
|
|
||||||
> **Pro tip**: only set the `id-token: write` permission in the job that does
|
> **Pro tip**: only set the `id-token: write` permission in the job that does
|
||||||
> publishing, not globally. Also, try to separate building from publishing
|
> publishing, not globally. Also, try to separate building from publishing
|
||||||
|
|
Loading…
Reference in a new issue