@@ -132,24 +132,31 @@ jobs:
132132 if : " startsWith(github.ref, 'refs/tags/')"
133133 needs : [linux, windows, macos, sdist]
134134 steps :
135+ - uses : actions/github-script@v6
136+ id : script
137+ timeout-minutes : 10
138+ with :
139+ debug : true
140+ script : |
141+ const token = process.env['ACTIONS_RUNTIME_TOKEN']
142+ const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
143+ core.setOutput('TOKEN', token.trim())
144+ core.setOutput('IDTOKENURL', runtimeUrl.trim())
145+
135146 - uses : actions/download-artifact@v4
136147 - name : mint API token
137148 id : mint-token
138- run : |
139- # retrieve the ambient OIDC token
140- resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
141- "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
142- oidc_token=$(jq -r '.value' <<< "${resp}")
143-
144- # exchange the OIDC token for an API token
145- resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\" : \"${oidc_token}\"}")
146- api_token=$(jq -r '.token' <<< "${resp}")
147-
148- # mask the newly minted API token, so that we don't accidentally leak it
149- echo "::add-mask::${api_token}"
150-
151- # see the next step in the workflow for an example of using this step output
152- echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
149+ - run : |
150+ IDTOKEN=$(curl -H "Authorization: bearer ${{steps.script.outputs.TOKEN}}" ${{steps.script.outputs.IDTOKENURL}} -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json" -d "{}" | jq -r '.value')
151+ echo $IDTOKEN
152+ jwtd() {
153+ if [[ -x $(command -v jq) ]]; then
154+ jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
155+ echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
156+ fi
157+ }
158+ jwtd $IDTOKEN
159+ echo "idToken=${IDTOKEN}" >> $GITHUB_OUTPUT
153160name : Publish to PyPI
154161 uses : PyO3/maturin-action@v1
155162 env :
0 commit comments