ci: enable trusted publishing for PyPI#60
Conversation
Agent-Logs-Url: https://github.com/Cosmoglobe/zodipy/sessions/0a982d82-4e24-4c36-8ff5-cfb42f3e8d02 Co-authored-by: MetinSa <28634670+MetinSa@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Cosmoglobe/zodipy/sessions/0a982d82-4e24-4c36-8ff5-cfb42f3e8d02 Co-authored-by: MetinSa <28634670+MetinSa@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to publish the package to PyPI using OIDC “trusted publishing” on GitHub Releases, avoiding long-lived PyPI tokens.
Changes:
- Introduces
publish.ymltriggered onrelease.published. - Builds the package with Poetry and transfers
dist/via workflow artifacts. - Publishes to PyPI via
pypa/gh-action-pypi-publishusing OIDC with an environment gate.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
The workflow-level permissions restricts the GITHUB_TOKEN to contents: read only, which is likely insufficient for actions/upload-artifact / actions/download-artifact (these generally require actions: write/actions: read). Consider either adding the required actions permission at the workflow level, or (more tightly) setting per-job permissions: build job gets actions: write (+ contents: read for checkout) and publish job gets actions: read (+ id-token: write).
There was a problem hiding this comment.
its even better to use permissions: {} at the top level and only add specific permissions at the job level
There was a problem hiding this comment.
(I also don't think this specific permission is needed at all here)
There was a problem hiding this comment.
Thanks for the comments! I let copilot have a go at it before I check it out myself. Do you have a repo with a good setup that you recommend me checking out?
There was a problem hiding this comment.
Yup. Have a go at neutrinoceros/idefix_cli. It's as simple as they come (but note I don't use poetry).
Long-lived PyPI tokens are a supply-chain risk; OIDC-based trusted publishing eliminates them by issuing short-lived credentials scoped to a specific workflow run.
Changes
.github/workflows/publish.ymlrelease: publishedbuildjob: installs Poetry, runspoetry build, uploadsdist/as a workflow artifactpublishjob: downloads artifact, publishes viapypa/gh-action-pypi-publishusing OIDC — no token requiredpermissions: contents: read; publish job scoped toid-token: writeonlyRequired admin steps (not in this PR)
Cosmoglobe/zodipy, workflow:publish.yml, environment:pypipypi(add approval gates as desired)