DataDog · AAraKKe · May 27, 2025 · May 27, 2025 · May 27, 2025
@@ -579,6 +579,9 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
+
+    environment: pypi-ddev
 
     steps:
     - name: Download Python artifacts
@@ -601,12 +604,15 @@ jobs:
         path: installers
         merge-multiple: true
 
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-ddev environment. PyPi validates the
+    # workflow file name, environment and repository the request is comming from to
+    # provide the valid JWT token.
     - name: Push Python artifacts to PyPI
       uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
         skip-existing: true
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN_DDEV_2 }}
 
     - name: Add assets to current release
       uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2

@@ -21,6 +21,8 @@ jobs:
     name: Build wheel
     runs-on: ubuntu-latest
 
+    environment: typo-squatting-release
+
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -46,4 +48,4 @@ jobs:
         # Only uploading the missing wheels makes this job idempotent and reduces its complexity.
         skip-existing: true
         user: __token__
-        password: ${{ secrets.INTEGRATIONS_PYPI_NAME_CLAIM }}
+        password: ${{ secrets.PYPI_TOKEN }}
@@ -9,6 +9,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+
+    environment: pypi-datadog-checks-base
+
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -30,8 +35,16 @@ jobs:
         ddev config set repos.core .
         ddev config set repo core
 
-    - name: Release base package
-      run: ddev release upload -s datadog_checks_base
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN_BASE_2 }}
+    - name: Build base package
+      run: ddev release build datadog_checks_base
+
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-datadog-checks-base environment. PyPi
+    # validates the workflow file name, environment and repository the request is
+    # comming from to provide the valid JWT token.
+    - name: Release base package to PyPI
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      with:
+        skip-existing: true
+        packages-dir: datadog_checks_base/dist
@@ -9,6 +9,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+
+    environment: pypi-datadog-checks-dev
+
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -30,8 +35,16 @@ jobs:
         ddev config set repos.core .
         ddev config set repo core
 
-    - name: Release dev package
-      run: ddev release upload -s datadog_checks_dev
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN_DEV_2 }}
+    - name: Build dev package
+      run: ddev release build datadog_checks_dev
+
+    # Publish wheels to PyPI using Trusted Publishers.
+    # https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    # This job needs to run from within the pypi-datadog-checks-dev environment. PyPi
+    # validates the workflow file name, environment and repository the request is
+    # comming from to provide the valid JWT token.
+    - name: Release dev package to PyPI
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      with:
+        skip-existing: true
+        packages-dir: datadog_checks_dev/dist