Skip to content

ci: publish to PyPI via Trusted Publishing (OIDC)#21

Merged
lesnik512 merged 2 commits into
mainfrom
ci/pypi-trusted-publishing
Jul 1, 2026
Merged

ci: publish to PyPI via Trusted Publishing (OIDC)#21
lesnik512 merged 2 commits into
mainfrom
ci/pypi-trusted-publishing

Conversation

@lesnik512

Copy link
Copy Markdown
Member

What

Replace the long-lived PYPI_TOKEN secret with PyPI Trusted Publishing (OIDC).

Changes

  • release.yml: add id-token: write, run the job under a pypi environment, drop the PYPI_TOKEN env from the publish step.
  • Justfile: uv publish --token $PYPI_TOKEN -> uv publish.

Why

No credential to leak or rotate; OIDC tokens are short-lived and scoped to this repo + workflow.

Required before the next release tag (maintainer, PyPI-side)

  1. PyPI -> modern-di-typer project -> Publishing -> add a Trusted Publisher: owner modern-python, repo modern-di-typer, workflow release.yml, environment pypi.
  2. Create the pypi environment under repo Settings -> Environments.
  3. After the first OIDC release succeeds, delete the PYPI_TOKEN repo secret.

lesnik512 and others added 2 commits July 1, 2026 21:13
Drop the long-lived PYPI_TOKEN secret in favor of OIDC. uv publish
auto-detects the GitHub Actions id-token, so the release job grants
id-token: write and runs under a `pypi` environment that scopes the
PyPI Trusted Publisher.

Requires a matching Trusted Publisher on the modern-di-typer PyPI
project (workflow: release.yml, environment: pypi) before the next tag.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@lesnik512 lesnik512 merged commit 7f84708 into main Jul 1, 2026
6 checks passed
@lesnik512 lesnik512 deleted the ci/pypi-trusted-publishing branch July 1, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant