Maintenance: Migrate to new PyPi Trusted Publishers

[heitorlessa]

Why is this needed?

PyPi just recently added support for "Trusted Publishers" to improve security posture by accepting OIDC tokens emitted from CIs also acting as IdP instead of PyPi tokens.

GitHub Actions natively supports it: https://docs.pypi.org/trusted-publishers/

Which area does this relate to?

Automation

Solution

Add a new trusted publisher in PyPi associating this org+repo+gh env+gh workflow, and updating our release process do ditch PyPi token and use the new process.

Acknowledgment

• This request meets Lambda Powertools Tenets
• Should this be considered in other Lambda Powertools languages? i.e. TypeScript

[heitorlessa]

Tasks:

• Add new Trusted Publisher in PyPi
• Create new Makefile target: release-build
• Replace release-prod with release-build
• Use new GH Action with a SHA pinned version
• Use it for new release
• Remove PyPi Token from GH Secrets if release was successful

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

[github-actions]

This is now released under 2.15.0 version!