Skip to content

ci: publish to PyPI via Trusted Publishing (OIDC)#251

Merged
lesnik512 merged 1 commit into
mainfrom
ci/pypi-trusted-publishing
Jul 1, 2026
Merged

ci: publish to PyPI via Trusted Publishing (OIDC)#251
lesnik512 merged 1 commit into
mainfrom
ci/pypi-trusted-publishing

Conversation

@lesnik512

Copy link
Copy Markdown
Member

What

Replace the long-lived PYPI_TOKEN secret with PyPI Trusted Publishing (OIDC).

Changes

  • release.yml: add id-token: write, run the job under a pypi environment, drop the PYPI_TOKEN env from the publish step.
  • Justfile: uv publish --token $PYPI_TOKEN -> uv publish (uv auto-detects the CI id-token).

Why

No credential to leak or rotate; OIDC tokens are short-lived and scoped to this repo + workflow. This is PyPI's recommended path.

Required before merge / next tag (maintainer, PyPI-side)

Code alone can't enable this:

  1. PyPI -> modern-di project -> Publishing -> add a Trusted Publisher: owner modern-python, repo modern-di, workflow release.yml, environment pypi.
  2. Create the pypi environment under repo Settings -> Environments (add approval/wait-timer rules if wanted).
  3. After the first OIDC release succeeds, delete the PYPI_TOKEN repo secret.

If 1-2 aren't in place when a tag is pushed, that publish fails; nothing auto-releases in between, and reverting this diff restores the token path.

Drop the long-lived PYPI_TOKEN secret in favor of OIDC. uv publish
auto-detects the GitHub Actions id-token, so the release job grants
id-token: write and runs under a `pypi` environment that scopes the
PyPI Trusted Publisher.

Requires a matching Trusted Publisher on the modern-di PyPI project
(workflow: release.yml, environment: pypi) before the next tag.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@lesnik512 lesnik512 merged commit be82322 into main Jul 1, 2026
7 checks passed
@lesnik512 lesnik512 deleted the ci/pypi-trusted-publishing branch July 1, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant