From 08292640e99bf6832d6183b81dad3f54ea0f097b Mon Sep 17 00:00:00 2001
From: Jake Awe <jawe@nvidia.com>
Date: Wed, 26 Jun 2024 16:38:35 -0500
Subject: [PATCH] use correct audience

---
 .github/workflows/pr.yaml | 38 +++++++++++++++++++-------------------
 ci/mint-pypi-token.sh     |  2 +-
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 4eb0a9405..e967d3f75 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -72,33 +72,33 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    needs: wheel-build
+    # needs: wheel-build
     steps:
-      # - name: mint API token
-      #   run: |
-      #     #!/bin/bash
+      - name: mint API token
+        run: |
+          #!/bin/bash
 
-      #     # retrieve the ambient OIDC token
-      #     resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-      #     "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
-      #     oidc_token=$(jq -r '.value' <<< "${resp}")
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
+          oidc_token=$(jq -r '.value' <<< "${resp}")
 
-      #     echo "OIDC token: $oidc_token"
-      #     echo "Response: $resp"
+          echo "OIDC token: $oidc_token"
+          echo "Response: $resp"
 
-      #     # exchange the OIDC token for an API token
-      #     resp=$(curl -X POST https://test.pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://test.pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
 
-      #     echo "OIDC token: $oidc_token"
-      #     echo "Response: $resp"
+          echo "OIDC token: $oidc_token"
+          echo "Response: $resp"
 
-      #     api_token=$(jq -r '.token' <<< "${resp}")
+          api_token=$(jq -r '.token' <<< "${resp}")
 
-      #     # mask the newly minted API token, so that we don't accidentally leak it
-      #     echo "::add-mask::${api_token}"
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
 
-      #     # see the next step in the workflow for an example of using this step output
-      #     echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
       - name: Mint GitHub Token
         uses: rapidsai/shared-actions/mint-pypi-token@mint-pypi-token
         id: mint-token
diff --git a/ci/mint-pypi-token.sh b/ci/mint-pypi-token.sh
index 2a3a0e413..7c0d2e547 100755
--- a/ci/mint-pypi-token.sh
+++ b/ci/mint-pypi-token.sh
@@ -2,7 +2,7 @@
 
 # retrieve the ambient OIDC token
 resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
 oidc_token=$(jq -r '.value' <<< "${resp}")
 
 echo "OIDC token: $oidc_token"