Trusted Publishing and better social media publishing (#1469)

### Pull Request Checklist: - [ ] This PR addresses an already opened issue (for bug fixes / features) - This PR fixes #xyz - [ ] Tests for the changes have been added (for bug fixes / features) - [ ] (If applicable) Documentation has been added / updated (for bug fixes / features) - [x] CHANGES.rst has been updated (with summary of main changes) - [x] Link to issue (:issue:`number`) and pull request (:pull:`number`) has been added ### What kind of change does this PR introduce? * Replaces the token-based authentication for uploads to PyPI/TestPyPI with the Trusted Publishing feature * Implement deployment environments as a security measure when running workflows that upload to PyPI/TestPyPI * Fixes the Mastodon-publishing action so that excess quotation marks (`"`) are removed * Mastodon publishing now uses `chuhlomin/render-template` to format toots. ### Does this PR introduce a breaking change? Not really. The publishing workflows are no longer dependent on authentication tokens, so these should be removed from the repository secrets and voided. ### Other information: * https://docs.pypi.org/trusted-publishers/ * https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment * https://github.com/chuhlomin/render-template
Ouranosinc · Sep 28, 2023 · 7c2869e · 7c2869e
2 parents 5763143 + 154259a
commit 7c2869e
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 19 deletions.
diff --git a/.github/workflows/publish-mastodon.template.md b/.github/workflows/publish-mastodon.template.md
@@ -0,0 +1,6 @@
+New #xclim release: v{{ .version }} 🎉
+
+Latest source code available at: https://github.com/Ouranosinc/xclim/releases/tag/{{ .version }}
+Check out the docs for more information: https://xclim.readthedocs.io/en/stable/
+
+{{ .contributors }}
diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml
@@ -5,30 +5,72 @@ on:
     types:
       - published
   workflow_dispatch:
+    inputs:
+      version-tag:
+        description: 'Version to announce'
+        required: true
+        type: string
+      dry-run:
+        description: 'Dry run'
+        default: true
+        type: boolean
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment: production
     steps:
 
     - name: Checkout
       uses: actions/[email protected]
 
     - name: Current Version
+      if: ${{ !github.event.inputs.version-tag }}
       run: |
         CURRENT_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
-        echo "current_version=${CURRENT_VERSION}" >> $GITHUB_ENV
+        echo "version=v${CURRENT_VERSION}" >> $GITHUB_ENV
+    - name: Set Version from Input
+      if: ${{ github.event.inputs.version-tag }}
+      run: |
+        echo "version=${{ github.event.inputs.version-tag }}" >> $GITHUB_ENV
+
+    - name: Get Release Description
+      if: ${{ !endsWith(env.current_version, '-dev') }}
+      id: get_release_description
+      run: |
+        # Fetch the release information using the GitHub API
+        RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+          "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.version }}")
+
+        # Extract the release description from the response
+        RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body)
+
+        # Remove Markdown links and the space preceding them
+        CLEANED_DESCRIPTION=$(echo "$RELEASE_DESCRIPTION" | sed -E 's/\[([^\]]+)\]\([^)]+\)//g')
+
+        # Extract the first line of the release description
+        CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1)
+
+        echo "CONTRIBUTORS=${CONTRIBUTORS}" >> $GITHUB_ENV
+
+    - name: Prepare Message
+      id: render_template
+      uses: chuhlomin/[email protected]
+      with:
+        template: publish-mastodon.template.md
+        vars: |
+            version: ${{ env.version }}
+            contributors: ${{ env.CONTRIBUTORS }}
+
+    - name: Message Preview
+      run: echo "${{ steps.render_template.outputs.result }}"
 
     - name: Send toot to Mastodon
-      id: mastodon
+      if: ${{ !github.event.inputs.dry-run }}
       uses: cbrgm/[email protected]
       with:
-        message: |
-          New #xclim release: v${{ env.current_version }} 🎉
-
-          Source code available at: https://github.com/Ouranosinc/xclim
-          Check out the docs for more information: https://xclim.readthedocs.io/en/v${{ env.current_version }}/
-        visibility: "public" # default: public
+        message: ${{ steps.render_template.outputs.result }}
+        visibility: "public"
       env:
-        MASTODON_URL: ${{ secrets.MASTODON_URL }} # https://example.social
-        MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }} # access token
+        MASTODON_URL: ${{ secrets.MASTODON_URL }}
+        MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -8,6 +8,10 @@ on:
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
+    environment: production
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
@@ -21,6 +25,3 @@ jobs:
         run: flit build
       - name: Publish distribution 📦 to PyPI
         uses: pypa/[email protected]
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
@@ -3,11 +3,15 @@ name: Publish Python 🐍 distributions 📦 to TestPyPI
 on:
   push:
     tags:
-      - '*'
+      - 'v*'
 
 jobs:
   build-n-publish-testpypi:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
+    environment: staging
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
@@ -22,7 +26,5 @@ jobs:
       - name: Publish distribution 📦 to Test PyPI
         uses: pypa/[email protected]
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
-          skip_existing: true
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
diff --git a/.readthedocs.yml b/.readthedocs.yml
@@ -10,7 +10,7 @@ sphinx:
 build:
   os: ubuntu-22.04
   tools:
-    python: "mambaforge-4.10"
+    python: "mambaforge-22.9"
   jobs:
     pre_build:
       - sphinx-apidoc -o docs/apidoc/ --private --module-first xclim xclim/testing/tests xclim/indicators xclim/indices

diff --git a/CHANGES.rst b/CHANGES.rst
@@ -32,6 +32,8 @@ Internal changes
 * Updated the testing data used in the `analogs.ipynb` notebook to use the testing data now found in `Ouranosinc/xclim-testdata`'s main branch. (`xclim-testdata PR/26 <https://github.com/Ouranosinc/xclim-testdata/pull/26>`_, :pull:`1473`).
 * Fixed an issue with automatic labelling that occurs when a Pull Request is made from a forked repository. (:pull:`1479`).
 * Changes to the ``.zenodo.json`` file no longer are marked as CI-related changes. (:pull:`1479`).
+* GitHub deployment workflows now employs use of deployment environments for workflow security and uses the `Trusted Publisher <https://docs.pypi.org/trusted-publishers/using-a-publisher/>`_ feature to sign and publish the `xclim` wheel and source distributions. (:pull:`1469`).
+* Mastodon publishing now uses `chuhlomin/render-template <https://github.com/chuhlomin/render-template>`_ and a standard formatting markdown document to format Mastodon toots. (:pull:`1469`).
 
 v0.45.0 (2023-09-05)
 --------------------