feat: add PyPI trusted publishing support

danielkov · claude · danielkov · commit edd63c23c295 · 2026-02-04T11:20:24.000Z
Add `useTrustedPublishing` field to PyPi publishing config to enable
OIDC-based trusted publishing instead of token-based authentication.

Changes:
- Add `UseTrustedPublishing` field to `PyPi` struct
- Make `Token` field optional when using trusted publishing
- Update `Validate()` to error if both token and trusted publishing are set
- Update `IsPublished()` to recognize trusted publishing as valid config
- Update JSON schema with new field and descriptions

Usage:
```yaml
targets:
  python-sdk:
    target: python
    source: my-source
    publish:
      pypi:
        useTrustedPublishing: true
```

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/schemas/workflow.schema.json b/schemas/workflow.schema.json
@@ -326,12 +326,17 @@
       "additionalProperties": false,
       "properties": {
         "token": {
+          "description": "PyPI API token for token-based authentication. Not required if using trusted publishing.",
           "type": "string"
+        },
+        "useTrustedPublishing": {
+          "description": "Use OIDC trusted publishing instead of token-based authentication. See https://docs.pypi.org/trusted-publishers/",
+          "type": [
+            "null",
+            "boolean"
+          ]
         }
       },
-      "required": [
-        "token"
-      ],
       "type": "object"
     },
     "WorkflowRubyGems": {
diff --git a/workflow/target.go b/workflow/target.go
@@ -90,8 +90,9 @@ type NPM struct {
 }
 
 type PyPi struct {
-	_     struct{} `additionalProperties:"false"`
-	Token string   `yaml:"token" required:"true"`
+	_                    struct{} `additionalProperties:"false"`
+	Token                string   `yaml:"token,omitempty" description:"PyPI API token for token-based authentication. Not required if using trusted publishing."`
+	UseTrustedPublishing *bool    `yaml:"useTrustedPublishing,omitempty" description:"Use OIDC trusted publishing instead of token-based authentication. See https://docs.pypi.org/trusted-publishers/"`
 }
 
 type Packagist struct {
@@ -195,9 +196,15 @@ func (p Publishing) Validate(target string) error {
 			}
 		}
 	case "python":
-		if p.PyPi != nil && p.PyPi.Token != "" {
-			if err := validateSecret(p.PyPi.Token); err != nil {
-				return fmt.Errorf("failed to validate pypi token: %w", err)
+		if p.PyPi != nil {
+			usesTrustedPublishing := p.PyPi.UseTrustedPublishing != nil && *p.PyPi.UseTrustedPublishing
+			if usesTrustedPublishing && p.PyPi.Token != "" {
+				return fmt.Errorf("pypi token should not be provided when using trusted publishing")
+			}
+			if !usesTrustedPublishing && p.PyPi.Token != "" {
+				if err := validateSecret(p.PyPi.Token); err != nil {
+					return fmt.Errorf("failed to validate pypi token: %w", err)
+				}
 			}
 		}
 	case "php":
@@ -262,8 +269,11 @@ func (p Publishing) IsPublished(target string) bool {
 			return true
 		}
 	case "python":
-		if p.PyPi != nil && p.PyPi.Token != "" {
-			return true
+		if p.PyPi != nil {
+			usesTrustedPublishing := p.PyPi.UseTrustedPublishing != nil && *p.PyPi.UseTrustedPublishing
+			if usesTrustedPublishing || p.PyPi.Token != "" {
+				return true
+			}
 		}
 	case "php":
 		if p.Packagist != nil {

Original file line number	Diff line number	Diff line change
`@@ -90,8 +90,9 @@ type NPM struct {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`type PyPi struct {`
`93`		- _ struct{} `additionalProperties:"false"`
`94`		- Token string `yaml:"token" required:"true"`
	`93`	+ _ struct{} `additionalProperties:"false"`
	`94`	+ Token string `yaml:"token,omitempty" description:"PyPI API token for token-based authentication. Not required if using trusted publishing."`
	`95`	+ UseTrustedPublishing *bool `yaml:"useTrustedPublishing,omitempty" description:"Use OIDC trusted publishing instead of token-based authentication. See https://docs.pypi.org/trusted-publishers/"`
`95`	`96`	`}`
`96`	`97`
`97`	`98`	`type Packagist struct {`
`@@ -195,9 +196,15 @@ func (p Publishing) Validate(target string) error {`
`195`	`196`	`}`
`196`	`197`	`}`
`197`	`198`	`case "python":`
`198`		`- if p.PyPi != nil && p.PyPi.Token != "" {`
`199`		`- if err := validateSecret(p.PyPi.Token); err != nil {`
`200`		`- return fmt.Errorf("failed to validate pypi token: %w", err)`
	`199`	`+ if p.PyPi != nil {`
	`200`	`+ usesTrustedPublishing := p.PyPi.UseTrustedPublishing != nil && *p.PyPi.UseTrustedPublishing`
	`201`	`+ if usesTrustedPublishing && p.PyPi.Token != "" {`
	`202`	`+ return fmt.Errorf("pypi token should not be provided when using trusted publishing")`
	`203`	`+ }`
	`204`	`+ if !usesTrustedPublishing && p.PyPi.Token != "" {`
	`205`	`+ if err := validateSecret(p.PyPi.Token); err != nil {`
	`206`	`+ return fmt.Errorf("failed to validate pypi token: %w", err)`
	`207`	`+ }`
`201`	`208`	`}`
`202`	`209`	`}`
`203`	`210`	`case "php":`
`@@ -262,8 +269,11 @@ func (p Publishing) IsPublished(target string) bool {`
`262`	`269`	`return true`
`263`	`270`	`}`
`264`	`271`	`case "python":`
`265`		`- if p.PyPi != nil && p.PyPi.Token != "" {`
`266`		`- return true`
	`272`	`+ if p.PyPi != nil {`
	`273`	`+ usesTrustedPublishing := p.PyPi.UseTrustedPublishing != nil && *p.PyPi.UseTrustedPublishing`
	`274`	`+ if usesTrustedPublishing \|\| p.PyPi.Token != "" {`
	`275`	`+ return true`
	`276`	`+ }`
`267`	`277`	`}`
`268`	`278`	`case "php":`
`269`	`279`	`if p.Packagist != nil {`