Switch to trusted publishing; force manylinux2014 wheel builds

peytondmurray · peytondmurray · commit 9fa446ac2505 · 2023-07-21T12:25:34.000-07:00
Signed-off-by: pdmurray &lt;peynmurray@gmail.com&gt;
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
@@ -14,6 +14,11 @@ on:
     name: Publish Python packages on PyPI
     needs: [build-sdist, build-wheels]
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/openvdb
+    permissions:
+      id-token: write
     steps:
       - name:   Download artifacts from commit ${{ github.sha }}
         uses: dawidd6/action-download-artifact@v2
@@ -28,15 +33,11 @@ on:
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ inputs.test_pypi }}
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/
           packages_dir: dist
 
       - name: 🎉 Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ !inputs.test_pypi }}
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
           packages_dir: dist
diff --git a/openvdb/openvdb/python/README.md b/openvdb/openvdb/python/README.md
@@ -54,14 +54,13 @@ Using GitHub actions, new `openvdb` versions are published to PyPI automatically
 when a new OpenVDB release is made. Releases can also published to PyPI by
 triggering the "Build and Release Python Bindings to PyPI" job, and specifying a
 branch/ref; if no ref is specified, the most recent commit on the given branch
-is used. Publishing to PyPI requires an API token to be specified as a secret
-(`PYPI_API_TOKEN`) on the repository.
+is used. Publishing to PyPI requires [trusted publishing][publishing] to be
+configured on PyPI.
 
 If a maintainer wants to test the release process, they can do so by triggering
-a workflow dispatch, and clicking the option to release to `test.pypi.org`. In
-this case, a separate `TEST_PYPI_API_TOKEN` secret must be defined for the
-repository. Once the release is published to the PYPI testing index, you can
-install the release with
+a workflow dispatch, and clicking the option to release to `test.pypi.org`. Once
+the release is published to the PYPI testing index, you can install the release
+with
 
 ```bash
 pip install -v --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ openvdb
@@ -77,3 +76,4 @@ packaging for openvdb.
 
 [scikit-build-core]: https://github.com/scikit-build/scikit-build-core
 [cmake_flags]: https://cmake.org/cmake/help/latest/module/FindPython.html
+[publishing]: https://docs.pypi.org/trusted-publishers/
diff --git a/openvdb/openvdb/python/pyproject.toml b/openvdb/openvdb/python/pyproject.toml
@@ -39,3 +39,13 @@ cmake.minimum-version = "3.18"
 [tool.scikit-build.cmake.define]
 OPENVDB_BUILD_CORE = "ON"
 USE_NUMPY = "ON"
+
+[tool.cibuildwheel]
+manylinux-x86_64-image = "manylinux2014"
+manylinux-i686-image = "manylinux2014"
+manylinux-aarch64-image = "manylinux2014"
+manylinux-ppc64le-image = "manylinux2014"
+manylinux-s390x-image = "manylinux2014"
+manylinux-pypy_x86_64-image = "manylinux2014"
+manylinux-pypy_i686-image = "manylinux2014"
+manylinux-pypy_aarch64-image = "manylinux2014"
