From 591d2189c10a96db0a0561e51c1178e41256aff7 Mon Sep 17 00:00:00 2001
From: pulpbot <pulp-infra@redhat.com>
Date: Sun, 16 Nov 2025 03:00:50 +0000
Subject: [PATCH] Update CI files

---
 .github/workflows/publish.yml | 88 +++++++++++------------------------
 1 file changed, 27 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 018013ad..525144fa 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,47 +23,28 @@ jobs:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    environment:
+      name: "pypi"
+      url: "https://pypi.org/p/pulp-python"
+    permissions:
+      id-token: "write"
 
     steps:
-      - uses: "actions/checkout@v4"
-        with:
-          fetch-depth: 1
-          path: "pulp_python"
-
       - uses: "actions/download-artifact@v4"
         with:
           name: "plugin_package"
-          path: "pulp_python/dist/"
+          path: "dist/"
 
-      - uses: "actions/setup-python@v5"
-        with:
-          python-version: "3.11"
-
-      - name: "Install python dependencies"
-        run: |
-          echo ::group::PYDEPS
-          pip install twine
-          echo ::endgroup::
-
-      - name: "Setting secrets"
-        run: |
-          python3 .github/workflows/scripts/secrets.py "$SECRETS_CONTEXT"
-        env:
-          SECRETS_CONTEXT: "${{ toJson(secrets) }}"
-
-      - name: "Deploy plugin to pypi"
-        run: |
-          .github/workflows/scripts/publish_plugin_pypi.sh ${{ github.ref_name }}
+      - name: "Publish package to PyPI"
+        uses: pypa/gh-action-pypi-publish@release/v1
   publish-python-bindings:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    environment:
+      name: "pypi"
+    permissions:
+      id-token: "write"
 
     steps:
       - uses: "actions/checkout@v4"
@@ -81,32 +62,18 @@ jobs:
         run: |
           tar -xvf python-python-client.tar
 
-      - uses: "actions/setup-python@v5"
-        with:
-          python-version: "3.11"
-
-      - name: "Install python dependencies"
-        run: |
-          echo ::group::PYDEPS
-          pip install twine
-          echo ::endgroup::
-
-      - name: "Setting secrets"
-        run: |
-          python3 .github/workflows/scripts/secrets.py "$SECRETS_CONTEXT"
-        env:
-          SECRETS_CONTEXT: "${{ toJson(secrets) }}"
-
       - name: "Publish client to pypi"
-        run: |
-          bash .github/workflows/scripts/publish_client_pypi.sh ${{ github.ref_name }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: "pulp_python/dist/"
   publish-ruby-bindings:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    environment:
+      name: "rubygems"
+    permissions:
+      id-token: "write"
 
     steps:
       - uses: "actions/checkout@v4"
@@ -128,15 +95,12 @@ jobs:
         with:
           ruby-version: "2.6"
 
-      - name: "Setting secrets"
-        run: |
-          python3 .github/workflows/scripts/secrets.py "$SECRETS_CONTEXT"
-        env:
-          SECRETS_CONTEXT: "${{ toJson(secrets) }}"
+      - name: "Set RubyGems Credentials"
+        uses: "rubygems/configure-rubygems-credentials@v1.0.0"
 
-      - name: "Publish client to rubygems"
+      - name: "Publish client to RubyGems"
         run: |
-          bash .github/workflows/scripts/publish_client_gem.sh ${{ github.ref_name }}
+          gem push "pulp_python_client-${{ github.ref_name }}.gem"
 
   create-gh-release:
     runs-on: "ubuntu-latest"
@@ -179,14 +143,16 @@ jobs:
 
       - name: "Create release on GitHub"
         uses: "actions/github-script@v7"
+        env:
+          RELEASE_BODY: ${{ steps.get_release_notes.outputs.body }}
         with:
           script: |
-            const { TAG_NAME } = process.env;
+            const { TAG_NAME, RELEASE_BODY } = process.env;
 
             await github.rest.repos.createRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
               tag_name: TAG_NAME,
-              body: `${{ steps.get_release_notes.outputs.body }}`,
+              body: RELEASE_BODY,
               make_latest: "legacy",
             });