From dd6ef713b83247d92e597576347ffebffb7b0841 Mon Sep 17 00:00:00 2001
From: Sait Cakmak <saitcakmak@outlook.com>
Date: Thu, 2 May 2024 11:54:57 -0700
Subject: [PATCH] Use trusted publisher for PyPI uploads (#2330)

Summary:
[Upgrade to Trusted Publishing](https://github.com/pytorch/botorch/actions/runs/8914483363/job/24484640242#step:9:20)
Trusted Publishers allows publishing packages to PyPI from automated environments like GitHub Actions without needing to use username/password combinations or API tokens to authenticate with PyPI. Read more: https://docs.pypi.org/trusted-publishers

I set-up the trusted publishers for deploy & nightly workflows on pypi & test-pypi. These will generate temporary tokens for upload originating from these workflows and avoid the need for tokens.

Pull Request resolved: https://github.com/pytorch/botorch/pull/2330

Test Plan: https://github.com/pytorch/botorch/actions/runs/8916612542/job/24488330050

Reviewed By: Balandat

Differential Revision: D56861480

Pulled By: saitcakmak

fbshipit-source-id: 6a2a5403bae6fcc76a5ac2ae947d73473b8d47e6
---
 .github/workflows/deploy_on_release.yml | 4 ++--
 .github/workflows/nightly.yml           | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy_on_release.yml b/.github/workflows/deploy_on_release.yml
index 98d0f649ea..41cf8a357a 100644
--- a/.github/workflows/deploy_on_release.yml
+++ b/.github/workflows/deploy_on_release.yml
@@ -18,6 +18,8 @@ jobs:
   package-deploy-pypi:
     name: Package and deploy to pypi.org
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for PyPI OIDC authentication.
     needs: tests-and-coverage-pip
     steps:
     - uses: actions/checkout@v4
@@ -40,8 +42,6 @@ jobs:
     - name: Deploy to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
         verbose: true
 
   package-deploy-conda:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 00c6fa379a..fe09cbdf72 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -18,6 +18,8 @@ jobs:
   package-test-deploy-pypi:
     name: Package and test deployment to test.pypi.org
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for PyPI OIDC authentication.
     steps:
     - uses: actions/checkout@v4
     - name: Fetch all history for all tags and branches
@@ -54,10 +56,8 @@ jobs:
     - name: Deploy to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true
         verbose: true
 
   package-conda: