Skip to content

Upgrade PyPI upload workflow to use Trusted Publishing (#4589) #4611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cooperlees merged 4 commits into from
Dec 11, 2025
+21 −10
Merged

Upgrade PyPI upload workflow to use Trusted Publishing (#4589) #4611

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c35007f
Upgrade PyPI upload workflow to use Trusted Publishing
ahmed5145 Mar 12, 2025
1234419
Add changelog entry for PyPI Trusted Publishing upgrade
ahmed5145 Mar 12, 2025
6cbb1d3
Added PR number for changelog CI
ahmed5145 Mar 12, 2025
900c587
Merge branch 'main' into upgrade-pypi-trusted-publishing
cooperlees Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions .github/workflows/pypi_upload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,16 @@ on:

permissions:
contents: read
id-token: write # Required for PyPI trusted publishing

jobs:
main:
name: sdist + pure wheel
runs-on: ubuntu-latest
if: github.event_name == 'release'
environment:
name: release
url: https://pypi.org/p/black
Comment on lines +20 to +22
Copy link
Member

@woodruffw woodruffw Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting for the curious: the environment itself doesn't grant any special permissions to this job -- what it does is define an environment on GitHub's side, which can then be used to further constrain the publishing workflow (e.g. by adding required manual signoffs whenever the release workflow is triggered).

The PyPI documentation has some details on that: https://docs.pypi.org/trusted-publishers/security-model/#provider-specific-considerations


steps:
- uses: actions/checkout@v4
Expand All @@ -26,19 +30,19 @@ jobs:
python-version: "3.13"
allow-prereleases: true

- name: Install latest pip, build, twine
- name: Install latest pip, build
run: |
python -m pip install --upgrade --disable-pip-version-check pip
python -m pip install --upgrade build twine
python -m pip install --upgrade build

- name: Build wheel and source distributions
run: python -m build
Comment on lines 40 to 41
Copy link
Contributor

@webknjaz webknjaz Oct 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please avoid building in the same job as publishing. Especially with the elevated OIDC privileges. The transitive build deps shouldn't have such level of access.

#4589 links to proper examples.

Copy link
Collaborator

@cooperlees cooperlees Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call - but should we do that in a dedicated PR? We already have this setup today ...

Copy link
Member

@woodruffw woodruffw Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think there's potentially a larger CI/CD cleanup PR (or PRs) that could be done here. I can help chip away at that with some PRs 🙂

Copy link
Contributor

@webknjaz webknjaz Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cooperlees the old setup doesn't give elevated privileges to the transitive build deps, this is quite coupled.


- if: github.event_name == 'release'
name: Upload to PyPI via Twine
env:
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: twine upload --verbose -u '__token__' dist/*
name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
verbose: true

generate_wheels_matrix:
name: generate wheels matrix
Expand Down Expand Up @@ -84,6 +88,10 @@ jobs:
name: mypyc wheels ${{ matrix.only }}
needs: generate_wheels_matrix
runs-on: ${{ matrix.os }}
if: github.event_name == 'release'
Copy link
Collaborator

@cobaltt7 cobaltt7 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we want to gate the entire job to releases-only? The step is already release-gated. We want to build wheels on PRs to test and make sure builds don't fail.

Copy link
Contributor

@webknjaz webknjaz Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because building must not be happening in a job with such high privileges (once Trusted Publishing is set up) — the jobs should actually be made separate.

Copy link
Collaborator

@cobaltt7 cobaltt7 Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@webknjaz I believe that's an unrelated change. We already build and publish in the same job. The build deps now have the elevated permissions -- which yes, should be fixed -- but if I'm not mistaken, they have those permissions regardless of if the workflow runs on PR or release. So, ignoring that issue, this PR removed the functionality of testing wheel builds on PRs. Is there a reason for that?

environment:
name: release
url: https://pypi.org/p/black
strategy:
fail-fast: false
matrix:
Expand All @@ -103,10 +111,11 @@ jobs:
path: ./wheelhouse/*.whl

- if: github.event_name == 'release'
name: Upload wheels to PyPI via Twine
env:
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: pipx run twine upload --verbose -u '__token__' wheelhouse/*.whl
name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wheelhouse/
verbose: true

update-stable-branch:
name: Update stable branch
Expand Down
1 change: 1 addition & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
<!-- For example, Docker, GitHub Actions, pre-commit, editors -->

- Fix the version check in the vim file to reject Python 3.8 (#4567)
- Upgraded PyPI upload workflow to use Trusted Publishing (#4611)

### Documentation

Expand Down
Loading