ci: migrate PyPI publishing to OIDC authentication (#3054)

cv1.0.0i: migrate PyPI publishing to OIDC authentication

Replace token-based authentication with OpenID Connect (OIDC) for
enhanced security when publishing to PyPI and Test PyPI.

Signed-off-by: mramotowski <maciej.ramotowski@intel.com>

Author: mramotowski

.github/workflows/_reusable-production-release-process.yaml

@@ -30,8 +30,12 @@
 # - version: Release version
 # - artifact-name: Name of validated artifact
 #
-# Required Secrets:
-# - pypi-token: Production PyPI token
+# Note: PyPI publishing uses OIDC (OpenID Connect) authentication.
+# Configure trusted publisher in PyPI project settings:
+# - Owner: <your-org>
+# - Repository name: anomalib
+# - Workflow name: release.yaml
+# - Environment name: production
 #
 # Example Usage:
 # 1. Production Release:
@@ -57,12 +61,10 @@ on:
       artifact-name:
         required: true
         type: string
-    secrets:
-      pypi-token:
-        required: true
 
 permissions:
   contents: read
+  id-token: write # Required for OIDC authentication with PyPI
 
 jobs:
   validate-release-readiness:
@@ -107,9 +109,8 @@ jobs:
     uses: ./.github/workflows/_reusable-release-publisher.yaml
     permissions:
       contents: write # is required by action-gh-release (nested)
+      id-token: write # Required for OIDC authentication with PyPI
     with:
       version: ${{ inputs.version }}
       artifact-name: production-release-artifacts
       is-prerelease: false
-    secrets:
-      pypi-token: ${{ secrets.pypi-token }}

.github/workflows/_reusable-rc-release-process.yaml

@@ -35,8 +35,12 @@
 # - version: Version to release
 # - artifact-name: Name of build artifact
 #
-# Required Secrets:
-# - test-pypi-token: PyPI token for test deployments
+# Note: PyPI publishing uses OIDC (OpenID Connect) authentication.
+# Configure trusted publisher in Test PyPI project settings:
+# - Owner: <your-org>
+# - Repository name: anomalib
+# - Workflow name: release.yaml
+# - Environment name: technical-review
 #
 # Example Usage:
 # 1. Standard RC Process:
@@ -62,12 +66,10 @@ on:
       artifact-name:
         required: true
         type: string
-    secrets:
-      test-pypi-token:
-        required: true
 
 permissions:
   contents: read
+  id-token: write # Required for OIDC authentication with PyPI
 
 jobs:
   technical-review:
@@ -111,13 +113,10 @@ jobs:
           path: quality-results
 
       - name: Deploy to Test PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.test-pypi-token }}
-          TWINE_REPOSITORY_URL: https://test.pypi.org/legacy/
-        run: |
-          pip install --upgrade pip twine
-          twine upload dist/*
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          verbose: true
 
       - name: Validate deployment
         id: validate-deployment

.github/workflows/_reusable-release-publisher.yaml

@@ -31,9 +31,16 @@
 # - artifact-name: Name of artifact to publish
 # - is-prerelease: Whether this is a pre-release
 #
-# Required Secrets:
-# - pypi-token: Production PyPI token
-# - test-pypi-token: Test PyPI token (for pre-releases)
+# Note: PyPI publishing uses OIDC (OpenID Connect) authentication.
+# Configure trusted publisher in PyPI project settings:
+# - Owner: <your-org>
+# - Repository name: anomalib
+# - Workflow name: release.yaml
+# - Environment name: production
+#
+# Note: This workflow is used for production and beta releases only.
+# RC releases are published directly from _reusable-rc-release-process.yaml
+# using the 'technical-review' environment.
 #
 # Example Usage:
 # 1. Production Release:
@@ -66,35 +73,24 @@ on:
         description: "Whether this is a pre-release"
         type: boolean
         default: false
-    secrets:
-      pypi-token:
-        required: true
-        description: "PyPI token for package publishing"
-      test-pypi-token:
-        required: false
-        description: "Test PyPI token for pre-releases"
 
-permissions: {} # default permissions only on workflow level
+permissions:
+  id-token: write # Required for OIDC authentication with PyPI
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     environment: ${{ inputs.is-prerelease && 'staging' || 'production' }}
     permissions:
       contents: write # is required by action-gh-release
+      id-token: write # Required for OIDC authentication with PyPI
     steps:
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: ${{ inputs.artifact-name }}
           path: dist
       - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ inputs.is-prerelease && secrets.test-pypi-token || secrets.pypi-token }}
-          TWINE_REPOSITORY_URL: ${{ inputs.is-prerelease && 'https://test.pypi.org/legacy/' || '' }}
-        run: |
-          pip install --upgrade pip twine
-          twine upload dist/*
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
       - uses: softprops/action-gh-release@62c96d0c4e8a889135c1f3a25910db8dbe0e85f7 # v2.3.4
         with:
           tag_name: ${{ inputs.version }}

.github/workflows/release.yaml

@@ -29,8 +29,19 @@
 #
 # Required Secrets:
 # - CODECOV_TOKEN: Coverage reporting
-# - TEST_PYPI_TOKEN: RC deployments
-# - PYPI_TOKEN: Production deployments
+#
+# Note: PyPI publishing uses OIDC (OpenID Connect) authentication.
+# Configure trusted publishers in PyPI project settings:
+# - For production/beta releases (PyPI):
+#   - Owner: <your-org>
+#   - Repository name: anomalib
+#   - Workflow name: release.yaml
+#   - Environment name: production
+# - For RC releases (Test PyPI):
+#   - Owner: <your-org>
+#   - Repository name: anomalib
+#   - Workflow name: release.yaml
+#   - Environment name: technical-review
 #
 # Example Usage:
 # 1. Automated (Tag Push):
@@ -85,35 +96,33 @@ jobs:
     needs: [validation]
     if: contains(needs.validation.outputs.version, '-rc')
     uses: ./.github/workflows/_reusable-rc-release-process.yaml
+    permissions:
+      id-token: write # Required for OIDC authentication with PyPI
     with:
       version: ${{ needs.validation.outputs.version }}
       artifact-name: ${{ needs.validation.outputs.artifact-name }}
-    secrets:
-      test-pypi-token: ${{ secrets.TEST_PYPI_TOKEN }}
 
   production-release-process:
     needs: [validation]
     if: ${{ !contains(needs.validation.outputs.version, '-rc') && !contains(needs.validation.outputs.version, 'b') }}
     uses: ./.github/workflows/_reusable-production-release-process.yaml
     permissions:
       contents: write # is required by action-gh-release (nested)
+      id-token: write # Required for OIDC authentication with PyPI
     with:
       version: ${{ needs.validation.outputs.version }}
       artifact-name: ${{ needs.validation.outputs.artifact-name }}
-    secrets:
-      pypi-token: ${{ secrets.PYPI_TOKEN }}
 
   beta-release-process:
     needs: [validation]
     if: contains(needs.validation.outputs.version, 'b')
     uses: ./.github/workflows/_reusable-production-release-process.yaml
     permissions:
       contents: write # is required by action-gh-release (nested)
+      id-token: write # Required for OIDC authentication with PyPI
     with:
       version: ${{ needs.validation.outputs.version }}
       artifact-name: ${{ needs.validation.outputs.artifact-name }}
-    secrets:
-      pypi-token: ${{ secrets.PYPI_TOKEN }}
 
   status:
     needs: