🔧 chore: switch PyPI release to OIDC trusted publishing#199
Merged
Conversation
lemonsaurus
force-pushed
the
chore/pypi-trusted-publishing
branch
from
25df4ff to
0d2d60f
Compare
lemonsaurus
force-pushed
the
chore/pypi-trusted-publishing
branch
from
a4213b8 to
09ab7cf
Compare
Stacked on #198 (poetry -> uv migration). Replaces the long-lived PYPI_TOKEN secret with PyPI Trusted Publishing via pypa/gh-action-pypi-publish (OIDC). - Collapse bump-pyproject-version + publish-to-pypi into a single release job. No reason to checkout twice now that the version bump, build, and publish all live in the same place. - Add environment: pypi so the publish step is gated by the GitHub environment we registered as a trusted publisher on PyPI. - Add permissions: id-token: write (required for OIDC) and contents: write (the auto-commit needs it). - Drop UV_PUBLISH_TOKEN; pypa/gh-action-pypi-publish reads dist/ and uses the OIDC identity directly. The PYPI_TOKEN secret can be deleted once a release run succeeds.
lemonsaurus
force-pushed
the
chore/pypi-trusted-publishing
branch
from
09ab7cf to
f505c36
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Warning
Once a release run succeeds end-to-end, the `PYPI_TOKEN` secret can be deleted from repo settings. Until then, leave it in place as a safety net.
What
Migrates
publish.yamloff the long-livedPYPI_TOKENsecret and onto PyPI Trusted Publishing (OIDC). Mirrors the same change in django-simple-bulma#134.Why
uv publishwithUV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN }}pypa/gh-action-pypi-publish@release/v1mints a short-lived OIDC token at run timereleasejobThe PyPI side is already configured (Trusted Publisher: lemonsaurus / blackbox / publish.yaml / environment
pypi).What changed in the workflow
bump-pyproject-versionandpublish-to-pypiinto a singlereleasejob.environment: pypiandpermissions: id-token: write(required for OIDC) pluscontents: writefor the version-bump auto-commit.uv build(inherited from 🪛 chore: modernize linting, CI, and devex tooling #198);pypa/gh-action-pypi-publishreads the resultingdist/.build-and-push-on-releasejob is untouched. DockerHub credentials don't have an OIDC equivalent we use, so theDOCKERHUB_TOKENsecret stays.