Skip to content

Commit 20f7e40

Browse files
kesmit13claude
andauthored
Update publish workflow to use PyPI trusted publishing (#119)
Replace twine-based PyPI publishing with OIDC-based trusted publishing using the pypa/gh-action-pypi-publish GitHub Action. Changes: - Add permissions block with id-token: write for OIDC - Add environment block referencing the 'publish' environment - Remove twine installation step - Replace twine upload with gh-action-pypi-publish action Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent be7a773 commit 20f7e40

File tree

1 file changed

+11
-12
lines changed

1 file changed

+11
-12
lines changed

.github/workflows/publish.yml

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -156,12 +156,16 @@ jobs:
156156

157157
runs-on: ubuntu-latest
158158

159-
steps:
160-
- name: Install dependencies
161-
run: |
162-
python -m pip install --upgrade pip
163-
pip install twine==6.0.1
159+
permissions:
160+
id-token: write # Required for OIDC trusted publishing
161+
actions: read # Required for actions/download-artifact
162+
contents: read # Required for repository access
164163

164+
environment:
165+
name: publish
166+
url: https://pypi.org/p/singlestoredb
167+
168+
steps:
165169
- name: Download Linux wheels and sdist
166170
uses: actions/download-artifact@v4
167171
with:
@@ -180,14 +184,9 @@ jobs:
180184
name: artifacts-macOS
181185
path: dist
182186

183-
- name: Publish PyPI package
187+
- name: Publish to PyPI
184188
if: ${{ github.event_name == 'release' || github.event.inputs.publish_pypi == 'true' }}
185-
env:
186-
TWINE_USERNAME: __token__
187-
TWINE_PASSWORD: "${{ secrets.PYPI_TOKEN }}"
188-
run: |
189-
ls ./dist/*
190-
twine upload ./dist/*
189+
uses: pypa/gh-action-pypi-publish@release/v1
191190

192191
# - name: Publish Conda package
193192
# if: ${{ github.event_name == 'release' || github.event.inputs.publish_anaconda == 'true' }}

0 commit comments

Comments
 (0)