From 2a8edec5e80151017ad8042c91949d2674aaebc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Larivi=C3=A8re?=
 <ralariviere@devolutions.net>
Date: Thu, 27 Nov 2025 09:04:44 -0500
Subject: [PATCH] secu(ci): migrate to trusted publishing for PyPI

- Replace twine with pypa/gh-action-pypi-publish@release/v1
- Use OIDC authentication instead of API tokens
- Support both PyPI (production) and TestPyPI (dry-run)
- Separate publish and tagging steps for clarity

Task: DEVOPS-3951
---
 .github/workflows/release-others.yml | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release-others.yml b/.github/workflows/release-others.yml
index dec8627e..62c861d1 100644
--- a/.github/workflows/release-others.yml
+++ b/.github/workflows/release-others.yml
@@ -158,19 +158,25 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.DEVOLUTIONSBOT_WRITE_TOKEN }}
 
-    - name: Publish Python
-      if: ${{ inputs.publish_python && !inputs.publish_dry_run }}
-      run: |
-        pip install twine
+    - name: Publish Python to TestPyPI (Dry Run)
+      if: ${{ inputs.publish_python && inputs.publish_dry_run }}
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        packages-dir: ./devolutions-crypto-wheels/
+        verbose: true
 
-        if [ '${{ inputs.publish_dry_run }}' == 'true' ]; then
-          twine upload --verbose  --repository testpypi -u "__token__" -p ${{ secrets.PYPI_TEST_API_KEY }} ./devolutions-crypto-wheels/*
-        else
-          twine upload --verbose -u "__token__" -p ${{ secrets.PYPI_API_KEY }} ./devolutions-crypto-wheels/*
+    - name: Publish Python to PyPI
+      if: ${{ inputs.publish_python && !inputs.publish_dry_run }}
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: ./devolutions-crypto-wheels/
 
-          git tag "python-v${{ steps.version.outputs.version_native }}"
-          git push origin "python-v${{ steps.version.outputs.version_native }}"
-        fi
+    - name: Tag Python Release
+      if: ${{ inputs.publish_python && !inputs.publish_dry_run }}
+      run: |
+        git tag "python-v${{ steps.version.outputs.version_native }}"
+        git push origin "python-v${{ steps.version.outputs.version_native }}"
 
     - name: Publish Kotlin to Cloudsmith
       if: ${{ inputs.publish_kotlin && !inputs.publish_dry_run }}