feat: Use trusted publisher [PES-1624] (#322)

nicolegros · web-flow · commit a2d890879eb2 · 2025-11-21T07:51:25.000-05:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* coveooss/dev-tooling
diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml
@@ -3,13 +3,16 @@ on:
   push:
     branches: [ main ]
 
+# default: least privileged permissions across all jobs
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   semantic-release:
     environment: production
     runs-on: [ ubuntu-latest ]
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
@@ -31,5 +34,44 @@ jobs:
         shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+        id: release
         run: npx semantic-release
+
+      - name: Upload | Distribution Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: distribution-artifacts
+          path: dist
+          if-no-files-found: error
+
+    outputs:
+      released: ${{ steps.release.conclusion == "success" || 'false' }}
+
+  deploy:
+    # 1. Separate out the deploy step from the publish step to run each step at
+    #    the least amount of token privilege
+    # 2. Also, deployments can fail, and its better to have a separate job if you need to retry
+    #    and it won't require reversing the release.
+    runs-on: ubuntu-latest
+    needs: release
+    if: ${{ needs.release.outputs.released == 'true' }}
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/project/json-schema-for-humans/
+
+    steps:
+      - name: Setup | Download Build Artifacts
+        uses: actions/download-artifact@v4
+        id: artifact-download
+        with:
+          name: distribution-artifacts
+          path: dist
+
+      - name: Publish to pypi
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+
+        with:
+          print-hash: true
diff --git a/.releaserc.json b/.releaserc.json
@@ -14,6 +14,11 @@
         "preset": "conventionalcommits"
       }
     ],
-    "semantic-release-pypi"
+    [
+    "semantic-release-pypi",
+      {
+        "pypiPublish": false
+      }
+    ]
   ]
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,11 @@`
`14`	`14`	`"preset": "conventionalcommits"`
`15`	`15`	`}`
`16`	`16`	`],`
`17`		`- "semantic-release-pypi"`
	`17`	`+ [`
	`18`	`+ "semantic-release-pypi",`
	`19`	`+ {`
	`20`	`+ "pypiPublish": false`
	`21`	`+ }`
	`22`	`+ ]`
`18`	`23`	`]`
`19`		`-}`
	`24`	`+}`