From de61562fc80e3c09c08a411daea1eae6557af3af Mon Sep 17 00:00:00 2001
From: Juanpe Araque <juanpedro.araque@datadoghq.com>
Date: Tue, 27 May 2025 10:24:58 +0200
Subject: [PATCH 1/2] Migrate PyPi publishing to Trusted Publishers and
 environments

---
 .github/workflows/build-ddev.yml       |  5 +++--
 .github/workflows/claim-pypi-name.yaml |  4 +++-
 .github/workflows/release-base.yml     | 18 +++++++++++++-----
 .github/workflows/release-dev.yml      | 18 +++++++++++++-----
 4 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index 75282ba2f08e0..ecc156d3a0bc9 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -579,6 +579,9 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
+
+    environment: pypi-ddev
 
     steps:
     - name: Download Python artifacts
@@ -605,8 +608,6 @@ jobs:
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
         skip-existing: true
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN_DDEV_2 }}
 
     - name: Add assets to current release
       uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
diff --git a/.github/workflows/claim-pypi-name.yaml b/.github/workflows/claim-pypi-name.yaml
index 71bb8fbd61e8b..b3ca683c066d4 100644
--- a/.github/workflows/claim-pypi-name.yaml
+++ b/.github/workflows/claim-pypi-name.yaml
@@ -21,6 +21,8 @@ jobs:
     name: Build wheel
     runs-on: ubuntu-latest
 
+    environment: typo-squatting-release
+
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -46,4 +48,4 @@ jobs:
         # Only uploading the missing wheels makes this job idempotent and reduces its complexity.
         skip-existing: true
         user: __token__
-        password: ${{ secrets.INTEGRATIONS_PYPI_NAME_CLAIM }}
+        password: ${{ secrets.PYPI_TOKEN }}
diff --git a/.github/workflows/release-base.yml b/.github/workflows/release-base.yml
index 7651451848420..0e075999d9e36 100644
--- a/.github/workflows/release-base.yml
+++ b/.github/workflows/release-base.yml
@@ -9,6 +9,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+
+    environment: pypi-datadog-checks-base
+
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -30,8 +35,11 @@ jobs:
         ddev config set repos.core .
         ddev config set repo core
 
-    - name: Release base package
-      run: ddev release upload -s datadog_checks_base
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN_BASE_2 }}
+    - name: Build base package
+      run: ddev release build datadog_checks_base
+
+    - name: Release base package to PyPI
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      with:
+        skip-existing: true
+        packages-dir: datadog_checks_base/dist
diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
index bef02f5eac827..be26b97e0171b 100644
--- a/.github/workflows/release-dev.yml
+++ b/.github/workflows/release-dev.yml
@@ -9,6 +9,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+
+    environment: pypi-datadog-checks-dev
+
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -30,8 +35,11 @@ jobs:
         ddev config set repos.core .
         ddev config set repo core
 
-    - name: Release dev package
-      run: ddev release upload -s datadog_checks_dev
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN_DEV_2 }}
+    - name: Build dev package
+      run: ddev release build datadog_checks_dev
+
+    - name: Release dev package to PyPI
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      with:
+        skip-existing: true
+        packages-dir: datadog_checks_dev/dist

From bf37f6e5376841472876d32dbbd0324a50936ee5 Mon Sep 17 00:00:00 2001
From: Juanpe Araque <juanpedro.araque@datadoghq.com>
Date: Tue, 27 May 2025 10:48:52 +0200
Subject: [PATCH 2/2] Add comments to clarify the OIDC workflow

---
 .github/workflows/build-ddev.yml   | 5 +++++
 .github/workflows/release-base.yml | 5 +++++
 .github/workflows/release-dev.yml  | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/.github/workflows/build-ddev.yml b/.github/workflows/build-ddev.yml
index ecc156d3a0bc9..87c6f3f4f43fc 100644
--- a/.github/workflows/build-ddev.yml
+++ b/.github/workflows/build-ddev.yml
@@ -604,6 +604,11 @@ jobs:
         path: installers
         merge-multiple: true
 
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-ddev environment. PyPi validates the
+    # workflow file name, environment and repository the request is comming from to
+    # provide the valid JWT token.
     - name: Push Python artifacts to PyPI
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
diff --git a/.github/workflows/release-base.yml b/.github/workflows/release-base.yml
index 0e075999d9e36..288562fe93f44 100644
--- a/.github/workflows/release-base.yml
+++ b/.github/workflows/release-base.yml
@@ -38,6 +38,11 @@ jobs:
     - name: Build base package
       run: ddev release build datadog_checks_base
 
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-datadog-checks-base environment. PyPi
+    # validates the workflow file name, environment and repository the request is
+    # comming from to provide the valid JWT token.
     - name: Release base package to PyPI
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
index be26b97e0171b..27532070250bd 100644
--- a/.github/workflows/release-dev.yml
+++ b/.github/workflows/release-dev.yml
@@ -38,6 +38,11 @@ jobs:
     - name: Build dev package
       run: ddev release build datadog_checks_dev
 
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-datadog-checks-dev environment. PyPi
+    # validates the workflow file name, environment and repository the request is
+    # comming from to provide the valid JWT token.
     - name: Release dev package to PyPI
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with: