Skip to content

ci: publish to PyPI via Trusted Publishing (OIDC)#223

Merged
lesnik512 merged 1 commit into
mainfrom
ci/pypi-trusted-publishing
Jul 1, 2026
Merged

ci: publish to PyPI via Trusted Publishing (OIDC)#223
lesnik512 merged 1 commit into
mainfrom
ci/pypi-trusted-publishing

Conversation

@lesnik512

Copy link
Copy Markdown
Member

What

Replace the long-lived PYPI_TOKEN secret with PyPI Trusted Publishing (OIDC) on publish.yml. The existing on: release: published trigger is unchanged.

Changes

  • publish.yml: add permissions: { contents: read, id-token: write }, run the publish job under a pypi environment, drop the PYPI_TOKEN env.
  • Justfile: uv publish --token $PYPI_TOKEN -> uv publish.

Why

No credential to leak or rotate; OIDC tokens are short-lived and scoped to this repo + workflow.

Required before the next release (maintainer, PyPI-side)

  1. PyPI -> that-depends project -> Publishing -> add a Trusted Publisher: owner modern-python, repo that-depends, workflow publish.yml (not release.yml), environment pypi.
  2. Create the pypi environment under repo Settings -> Environments.
  3. After the first OIDC release succeeds, delete the PYPI_TOKEN repo secret.

Cutting a release is unchanged: create a GitHub Release (tag) and publish.yml publishes via OIDC.

Drop the long-lived PYPI_TOKEN secret in favor of OIDC. uv publish
auto-detects the GitHub Actions id-token; publish.yml grants id-token:
write (plus contents: read for checkout) and runs under a `pypi`
environment that scopes the PyPI Trusted Publisher. The existing
on: release: published trigger is unchanged.

Requires a Trusted Publisher on the that-depends PyPI project with
workflow publish.yml and environment pypi before the next release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unittests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@lesnik512 lesnik512 merged commit 83cabaa into main Jul 1, 2026
12 checks passed
@lesnik512 lesnik512 deleted the ci/pypi-trusted-publishing branch July 1, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant