⬆️ CI/CD: Migrate PyPI workflows to OpenID Connect authentication

FernandoCelmer · FernandoCelmer · commit 8611af2fe826 · 2025-11-25T03:20:38.000-03:00
- Replace API token secrets with OIDC-based authentication
- Add id-token: write permission for OIDC token generation
- Configure environment-based deployment (pypi and pypi-test)
- Update pypa/gh-action-pypi-publish to latest release/v1 version
- Update actions/checkout and actions/setup-python to latest versions
- Remove dependency on PYPI_API_TOKEN and TEST_PYPI_API_TOKEN secrets
- Improve security with short-lived tokens and granular access control
diff --git a/.github/workflows/python-publish-pypi-test.yml b/.github/workflows/python-publish-pypi-test.yml
@@ -6,18 +6,20 @@ on:
 
 permissions:
   contents: write
+  id-token: write  # Necessário para OIDC
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: pypi-test  # Opcional, mas recomendado para segurança
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with: 
         repo-token: ${{ secrets.GITHUB_TOKEN }}
 
     - name: ⚙️ Set up Python 3.11
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v5
       with:
         python-version: "3.11"
 
@@ -30,7 +32,6 @@ jobs:
       run: python -m build
 
     - name: 📦 Publish Package to Test PyPI
-      uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+      uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
+        repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/python-publish-pypi.yml b/.github/workflows/python-publish-pypi.yml
@@ -6,15 +6,17 @@ on:
 
 permissions:
   contents: read
+  id-token: write  # Necessário para OIDC
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: pypi  # Opcional, mas recomendado para segurança
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: ⚙️ Set up Python 3.10
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v5
       with:
         python-version: "3.10"
     - name: ⚙️ Install dependencies
@@ -24,7 +26,4 @@ jobs:
     - name: 📦 Build Package
       run: python -m build
     - name: 📦 Publish Package to PyPI
-      uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      uses: pypa/gh-action-pypi-publish@release/v1
