Merged
Conversation
GitHub Actions caches Docker images based on Dockerfile and action.yml content. Since neither changed between v15 and v15.55.2-alpha.1, the cached image from v15 was being used, which didn't include the PyPI trusted publishing changes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
github.job_workflow_sha can be empty in reusable workflows, causing checkout to default to the main branch instead of the workflow's tag. Extract the ref from github.workflow_ref which is more reliable. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
github.job_workflow_sha is empty in reusable workflows. github.workflow_ref returns the caller's ref, not the reusable workflow's ref. Solution: Query the GitHub API for the run's referenced_workflows array, which contains the actual SHA of the reusable workflow. See: actions/toolkit#1264 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add workflow outputs to sdk-publish.yaml for python_regenerated, python_directory, publish_python, and use_pypi_trusted_publishing - Skip publish-pypi job when OIDC is enabled (users handle it separately) - Remove OIDC-specific steps from token-based publish-pypi job - Create publish-pypi composite action for OIDC trusted publishing Users who want OIDC trusted publishing can now add a separate job in their workflow that calls the composite action, which runs in their workflow's OIDC context. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The pypa/gh-action-pypi-publish Docker action incorrectly resolves the GITHUB_ACTION_REPOSITORY and GITHUB_ACTION_REF context variables when used within composite actions, causing it to try to run the wrong Docker image (speakeasy-api/sdk-generation-action instead of pypa's own image). Using uv publish --trusted-publishing always avoids this issue entirely since it runs directly in the shell context without Docker. Also added ref parameter to checkout step to ensure the correct tag version is checked out instead of main. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vishalg0wda
approved these changes
Feb 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed?
sdk-gen-configto latestassertPyPiTrustedPublishingconfig through to GHA