build: fix python upload workflows

Use virtual python environment to install the packaging tool.

Signed-off-by: Daniel Wagner <[email protected]>

Author: igaw

.github/workflows/release-python.yml

@@ -40,19 +40,45 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Python (if missing)
-        run: apt-get update && apt-get install -y python3 python3-pip
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3 python3-pip
 
       - name: Update python dependencies
-        run: python3 -m pip install -U packaging --break-system-packages
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          pip install -U packaging
 
       - uses: actions/download-artifact@v4
         with:
           name: artifact
           path: dist
 
+      - name: mint API token
+        id: mint-token
+        run: |
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+          oidc_token=$(jq -r '.value' <<< "${resp}")
+
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          api_token=$(jq -r '.token' <<< "${resp}")
+
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
+
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
+
       - name: Publish package to TestPyPI
+        env:
+          PATH: ${{ github.workspace }}/venv/bin:$PATH
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
+          password: ${{ steps.mint-token.outputs.api-token }}
           repository-url: https://test.pypi.org/legacy/
 
   upload_pypi:
@@ -61,27 +87,35 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'linux-nvme/libnvme'
     steps:
       - name: Install Python (if missing)
-        run: apt-get update && apt-get install -y python3 python3-pip
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3 python3-pip
 
       - name: Update python dependencies
-        run: python3 -m pip install -U packaging --break-system-packages
+        run: |
+          python3 -m venv venv
+          source venv/bin/activate
+          pip install -U packaging
 
       - name: Check if it is a release tag
         id: check-tag
         run: |
            if [[ ${{ github.event.ref }} =~ ^refs/tags/v([0-9]+\.[0-9]+)(\.[0-9]+)?(-rc[0-9]+)?$ ]]; then
                echo ::set-output name=match::true
            fi
+
       - name: Download artifiact
         uses: actions/download-artifact@v4
         if: steps.check-tag.outputs.match == 'true'
         with:
           name: artifact
           path: dist
+
       - name: Publish package to PyPI
+        env:
+          PATH: ${{ github.workspace }}/venv/bin:$PATH
         uses: pypa/gh-action-pypi-publish@release/v1
         if: steps.check-tag.outputs.match == 'true'
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
-          verify-metadata: false