Skip to content

Use a trusted publisher when publishing to PyPI#330

Merged
nuwang merged 1 commit into
mainfrom
329-trusted-publishing
May 19, 2026
Merged

Use a trusted publisher when publishing to PyPI#330
nuwang merged 1 commit into
mainfrom
329-trusted-publishing

Conversation

@ksuderman
Copy link
Copy Markdown
Contributor

@ksuderman ksuderman commented May 19, 2026

This PR implements trusted publishing for PyPI uploads to enhance security and reduce the risk of supply chain attacks. The changes replace the traditional API token-based authentication with OpenID Connect (OIDC) token-based authentication provided by GitHub Actions.

The deployment workflow has been updated to use the trusted publishing mechanism where GitHub Actions generates short-lived OIDC tokens that PyPI can verify and trust. This eliminates the need to store long-lived API tokens as repository secrets, reducing the attack surface and potential for credential compromise.

PyPI Configuration Required: After merging this PR, repository administrators must configure trusted publishing on both PyPI and Test PyPI before the next release:

For Production PyPI:

  1. Visit https://pypi.org
  2. Login with maintainer credentials
  3. Navigate to the cloudbridge project
  4. Click "Manage" and then click "Publishing"
  5. Fill in the form:
    • Owner: CloudVE
    • Repository name: cloudbridge
    • Workflow filename: deploy.yaml
    • Environment name: (leave blank)
  6. Click "Add"

For Test PyPI:

  1. Visit https://test.pypi.org
  2. Login with maintainer credentials
  3. Repeat the same configuration as above

Post-Configuration:

  • Test the setup by creating a new pre-release tag
  • Monitor the workflow execution to ensure trusted publishing works
  • Remove the old API token secrets (PYPI_API_TOKEN and TEST_PYPI_API_TOKEN) from repository secrets once confirmed working
  • If issues arise, the workflow can be temporarily reverted and API tokens restored

The trusted publishing setup provides better security, audit trails, and eliminates the need for credential rotation while maintaining the same publishing functionality.

Closes #329

@ksuderman ksuderman requested a review from nuwang May 19, 2026 18:44
nuwang
nuwang approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nuwang nuwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ksuderman! Closes: #329

@nuwang nuwang merged commit a64ecda into main May 19, 2026
2 checks passed
@nuwang nuwang deleted the 329-trusted-publishing branch May 19, 2026 19:07
@nsoranzo
Copy link
Copy Markdown
Contributor

nsoranzo commented May 19, 2026

Thanks both! For additional security you could split the workflow in 2 jobs where only the second needs the id-token: write permission, see e.g.: https://github.com/galaxyproject/gravity/pull/151/changes

@nuwang nuwang mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nuwang nuwang nuwang approved these changes

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use Trusted Publishing to upload to PyPI

3 participants

@ksuderman @nsoranzo @nuwang