Auto-publish to PyPI on release (Trusted Publishing)#59
Merged
Conversation
A publish.yml workflow builds the sdist + wheel and uploads to PyPI when a GitHub release is published. Authentication is PyPI Trusted Publishing (OIDC) -- no API token is stored. The publish job requests id-token:write and runs in a 'pypi' GitHub Environment, which also allows an optional manual-approval gate. Requires a one-time PyPI Trusted Publisher config (owner IVRTech, repo pystrix, workflow publish.yml, environment pypi). Closes #58
- Split into an unprivileged `build` job and an OIDC `publish` job (needs: build), passing dist/ via artifact. Only the publish job holds id-token: write, so the build backend never has the publishing identity (PyPA-recommended structure). - Add contents: read to the publish job's permissions (job-level perms do not inherit the top-level block). - Add a verify step: non-empty dist/, twine check, and a built-version vs release-tag match (read from an env var to avoid injection). Kept pypa/gh-action-pypi-publish@release/v1 (PyPA's recommended ref) rather than a SHA pin; SHA-pinning is deferred to pair with Dependabot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #58
Summary
Auto-publishes pystrix to PyPI when a GitHub release is published, using PyPI Trusted Publishing (OIDC) — no API token is stored in the repo or CI.
Workflow (
.github/workflows/publish.yml)release: published.python -m build, then uploads viapypa/gh-action-pypi-publishusing OIDC.contents: readat the top level; the publish job requestsid-token: write(needed for OIDC) and runs in apypiGitHub Environment.Security
No untrusted input is used in any
run:step; the only privilege isid-token: writescoped to the publish job. The trigger isrelease: published, which only a maintainer can fire.Required one-time setup (maintainer, on PyPI)
Add a Trusted Publisher to the existing
pystrixPyPI project:IVRTechpystrixpublish.ymlpypiThis requires owner/maintainer access to the existing
pystrixPyPI project. Until it's configured, the publish job will fail at the upload step with an auth error (re-runnable once set up).Optionally, add a required reviewer to the
pypiGitHub Environment (repo settings) to gate each publish behind a manual approval.Sequence to ship 1.3.0
v1.3.0and publish the GitHub release — the workflow then builds and uploads automatically.🤖 Generated with Claude Code