Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade PyPI upload workflow to use Trusted Publishing (#4589) #4611

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Upgrade PyPI upload workflow to use Trusted Publishing (#4589) #4611

wants to merge 3 commits into from

Conversation

ahmed5145
Copy link

Fixes #4589

This PR upgrades the PyPI publishing workflow to use Trusted Publishing instead of token-based authentication. This change:

  • Improves security by using OpenID Connect (OIDC) instead of long-lived tokens
  • Removes the need for maintaining PyPI tokens in GitHub secrets
  • Uses the official PyPA publishing action

Changes made:

  • Added id-token: write permission for OIDC authentication
  • Changed environment name to 'release'
  • Switched to pypa/gh-action-pypi-publish action
  • Removed twine dependency

Required actions after merging:
The repository maintainers will need to:

  1. Configure Trusted Publishing in PyPI for the black project:
  2. Create a 'release' environment in the GitHub repository settings
  3. Remove the existing PyPI token from GitHub secrets (after verifying the new setup works)

@cooperlees
Copy link
Collaborator

cooperlees commented Mar 12, 2025
edited
Loading

Cool - TIL there is something more official than what I long ago cooked up at a GitHub conference when Actions were announced. Let's make CI happy and this feels the right way to go to me. I'll be copying for my other projects too :)

@ahmed5145
Copy link
Author

Happy to hear that, please feel free to use across. It's quite impressive that you were there during the announcement of Actions.

It seems that there is an issue with the CI workflow in the PR. The diff-shades-comment job is failing because it cannot find the .pr-comment.json artifact. This artifact is expected by the comment-details command in the diff_shades_gha_helper.py script.

I've reviewed the script and it seems like the artifact is not being generated or uploaded in the diff-shades workflow.
Could you provide guidance on how this artifact should be generated? Are there any known issues with the current CI setup that might be causing this?
Or if I am getting this completely wrong.
Thank you for your assistance!

cooperlees
cooperlees approved these changes Mar 14, 2025
View reviewed changes
Copy link
Collaborator

@cooperlees cooperlees left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI seems to be working here - Is it just failing locally for you?

This looks good - I would imagine our next test run of this would confirm? Should we force run the skipped tests maybe?

Thoughts here other maintainers?

@JelleZijlstra
Copy link
Collaborator

This seems fine but it will need some changes on the PyPI side; I'll do that when I have some time. Not sure if @cooperlees has the requisite permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cooperlees cooperlees cooperlees approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[task] Upgrade .github/workflows/pypi_upload.yml to use Trusted Publishing
3 participants
@ahmed5145 @cooperlees @JelleZijlstra