Merge pull request github#28439 from github/repo-sync

Repo sync

content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md

@@ -468,6 +468,14 @@ To configure the repository to use the organization's template, a repository adm
 
 You can now update your YAML workflows to use OIDC access tokens instead of secrets. Popular cloud providers have published their official login actions that make it easy for you to get started with OIDC. For more information about updating your workflows, see the cloud-specific guides listed below in "[Enabling OpenID Connect for your cloud provider](#enabling-openid-connect-for-your-cloud-provider)."
 
+{% ifversion fpt or ghec %}
+
+## Enabling OpenID Connect for Python package publishing
+
+You can use a {% data variables.product.prodname_actions %} workflow in a repository as a trusted publisher for a PyPI project. Using a workflow as a trusted publisher allows OIDC access tokens to be exchanged for temporary PyPI API tokens. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi)" and "[Publishing to PyPI with a Trusted Publisher](https://docs.pypi.org/trusted-publishers/)" in the PyPI documentation.
+
+{% endif %}
+
 ## Enabling OpenID Connect for your cloud provider
 
 To enable and configure OIDC for your specific cloud provider, see the following guides:

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi.md

@@ -0,0 +1,93 @@
+---
+title: Configuring OpenID Connect in PyPI
+shortTitle: OpenID Connect in PyPI
+intro: Use OpenID Connect within your workflows to authenticate with PyPI.
+versions:
+  fpt: '*'
+  ghec: '*'
+type: tutorial
+topics:
+  - Security
+  - Actions
+---
+
+## Overview
+
+OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with [PyPI](https://pypi.org) to publish Python packages.
+
+This guide gives an overview of how to configure PyPI to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in the [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish) action to publish packages to PyPI (or other Python package repositories) without any manual API token management.
+
+## Prerequisites
+
+{% data reusables.actions.oidc-link-to-intro %}
+
+{% data reusables.actions.oidc-security-notice %}
+
+## Adding the identity provider to PyPI
+
+To use OIDC with PyPI, add a trust configuration that links each project on PyPI to each repository and workflow combination that's allowed to publish for it.
+
+1. Sign in to PyPI and navigate to the trusted publishing settings for the project you'd like to configure. For a project named `myproject`, this will be at `https://pypi.org/manage/project/myproject/settings/publishing/`.
+
+1. Configure a trust relationship between the PyPI project and a {% data variables.product.prodname_dotcom %} repository (and workflow within the repository). For example, if your {% data variables.product.prodname_dotcom %} repository is at `myorg/myproject` and your release workflow is defined in `release.yml` with an environment of `release`, you should use the following settings for your trusted publisher on PyPI.
+
+   {% note %}
+
+   **Note:** Enter these values carefully. Giving the incorrect user, repository, or workflow
+   the ability to publish to your PyPI project is equivalent to sharing an API token.
+
+   {% endnote %}
+
+   - Owner: `myorg`
+   - Repository name: `myproject`
+   - Workflow name: `release.yml`
+   - (Optionally) a {% data variables.product.prodname_actions %} environment name: `release`
+
+## Updating your {% data variables.product.prodname_actions %} workflow
+
+Once your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.
+
+The [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish) action has built-in support for trusted publishing, which can be enabled by giving its containing job the `id-token: write` permission and omitting `username` and `password`.
+
+The following example uses the `pypa/gh-action-pypi-publish` action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.
+
+```yaml{:copy}
+jobs:
+  release-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: {% data reusables.actions.action-checkout %}
+
+      - uses: {% data reusables.actions.action-setup-python %}
+        with:
+          python-version: "3.x"
+
+      - name: build release distributions
+        run: |
+          # NOTE: put your own distribution build steps here.
+          python -m build
+
+      - name: upload windows dists
+        uses: {% data reusables.actions.action-upload-artifact %}
+        with:
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
+    runs-on: ubuntu-latest
+    needs:
+      - release-build
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Retrieve release distributions
+        uses: {% data reusables.actions.action-download-artifact %}
+        with:
+          name: release-dists
+          path: dist/
+
+      - name: Publish release distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+```

content/actions/deployment/security-hardening-your-deployments/index.md

@@ -13,6 +13,7 @@ children:
   - /configuring-openid-connect-in-google-cloud-platform
   - /configuring-openid-connect-in-hashicorp-vault
   - /configuring-openid-connect-in-cloud-providers
+  - /configuring-openid-connect-in-pypi
   - /using-openid-connect-with-reusable-workflows
 ---
 

package.json

@@ -192,7 +192,6 @@
     "nodemon": "3.0.1",
     "npm-merge-driver-install": "^3.0.0",
     "nth-check": "2.1.1",
-    "postcss": "^8.4.14",
     "prettier": "^3.0.3",
     "rimraf": "^5.0.0",
     "robots-parser": "^3.0.0",