Skip to content

Auto-publish to PyPI on release (Trusted Publishing) #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
itg-karthicr merged 2 commits into from
Jun 24, 2026
Merged

Auto-publish to PyPI on release (Trusted Publishing) #59

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0270e38
Add PyPI auto-publish on release via Trusted Publishing (#58)
itg-karthicr Jun 24, 2026
dbfccd3
Harden publish workflow per review panel
itg-karthicr Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Publish to PyPI

# Publishes to PyPI when a GitHub release is published. Authentication uses
# PyPI Trusted Publishing (OIDC), so no API token is stored in the repo or CI.
# Build and publish are separate jobs: only the publish job holds the OIDC
# publishing identity, so the build backend never has access to it.
#
# One-time PyPI setup (maintainer): add a Trusted Publisher to the pystrix
# project with owner "IVRTech", repository "pystrix", workflow "publish.yml",
# and environment "pypi".
on:
release:
types: [published]

permissions:
contents: read

jobs:
build:
name: Build distribution
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Build sdist and wheel
run: |
python -m pip install build twine
python -m build
- name: Verify artifacts and version
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
test -n "$(ls -A dist/)" || { echo "::error::dist/ is empty"; exit 1; }
python -m twine check dist/*
version="$(python -c 'import pystrix; print(pystrix.VERSION)')"
if [ "$RELEASE_TAG" != "v$version" ] && [ "$RELEASE_TAG" != "$version" ]; then
echo "::error::built version $version does not match release tag $RELEASE_TAG"
exit 1
fi
- name: Upload distribution artifacts
uses: actions/upload-artifact@v4
with:
name: dist
path: dist/

publish:
name: Publish to PyPI
needs: build
runs-on: ubuntu-latest
timeout-minutes: 10
environment:
name: pypi
url: https://pypi.org/project/pystrix/
permissions:
contents: read
id-token: write # required for Trusted Publishing (OIDC)
steps:
- name: Download distribution artifacts
uses: actions/download-artifact@v4
with:
name: dist
path: dist/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
Loading