Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement trusted publishing #7548

Draft
wants to merge 2 commits into
base: konsti/publish2
Choose a base branch
from
Draft

Implement trusted publishing #7548

wants to merge 2 commits into from
+444 −46

Conversation

konstin
Copy link
Member

@konstin konstin commented Sep 19, 2024

Trusted publishing allows uploading to PyPI from GitHub actions without settings a (long-lived) secret token. Instead, you configure a GitHub Actions workflow as trusted publisher. With the id-token: write permission, GitHub Actions then allows us to obtain an OpenID Connect (OIDC) token, with which we can ask PyPI for a short lived upload token just for this session. The user experiences this as credentials-free upload. See https://docs.pypi.org/trusted-publishers/ for details and https://github.com/pypa/gh-action-pypi-publish for the reference implementation.

When we are in GitHub Actions and there are no explicit credentials, we try to obtain trusted publishing credentials. This can be controlled with --trusted-publishing (always use trusted publishing, don't try anything else) and --no-trusted-publishing (skip the check).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@konstin