Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Switch PyPI publishing to OIDC trusted publishing (remove API token)#1268

Merged
SkBlaz merged 2 commits intomasterSkBlaz/py3plex:masterfrom
copilot/update-publishing-workflowSkBlaz/py3plex:copilot/update-publishing-workflowCopy head branch name to clipboard
Mar 13, 2026
Merged

Switch PyPI publishing to OIDC trusted publishing (remove API token)#1268
SkBlaz merged 2 commits intomasterSkBlaz/py3plex:masterfrom
copilot/update-publishing-workflowSkBlaz/py3plex:copilot/update-publishing-workflowCopy head branch name to clipboard

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 13, 2026
edited
Loading

PyPI now supports trusted publishing via OIDC, making stored API tokens unnecessary. Updates the publish workflow to drop the PYPI_API_TOKEN secret and rely solely on the id-token: write permission for authentication.

Changes

  • Removed with: password: ${{ secrets.PYPI_API_TOKEN }} from the pypa/gh-action-pypi-publish step — the action authenticates automatically via OIDC when id-token: write is granted
  • Added # REQUIRED for trusted publishing comment to id-token: write to make the permission's purpose explicit
  • Removed timeout-minutes: 5 from the "Install uv" step and cleaned up inline event-trigger comments to match the canonical workflow format
Original prompt

This section details on the original issue you should resolve

<issue_title>publishing workflow - update</issue_title>
<issue_description>No more token required, let's go with

name: Publish Python package to PyPI

on:
  push:
    tags:
      - "v*"
  release:
    types: [published]
  workflow_dispatch:

jobs:
  build-and-publish:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      id-token: write   # REQUIRED for trusted publishing

    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install uv
        run: curl -LsSf https://astral.sh/uv/install.sh | sh

      - name: Install build backend
        run: |
          uv venv .venv
          source .venv/bin/activate
          uv pip install build

      - name: Build package
        run: |
          source .venv/bin/activate
          python -m build

      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@SkBlaz
chore: update pypi-publish workflow to use trusted publishing (no token)
81c962c 
Co-authored-by: SkBlaz <10035780+SkBlaz@users.noreply.github.com>
@SkBlaz SkBlaz marked this pull request as ready for review March 13, 2026 07:39
@SkBlaz SkBlaz self-requested a review as a code owner March 13, 2026 07:39
@SkBlaz SkBlaz merged commit 283369c into master Mar 13, 2026
Copilot AI changed the title [WIP] Update publishing workflow for Python package Switch PyPI publishing to OIDC trusted publishing (remove API token) Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SkBlaz SkBlaz Awaiting requested review from SkBlaz SkBlaz is a code owner

Assignees

@SkBlaz SkBlaz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

publishing workflow - update

2 participants

@SkBlaz
Morty Proxy This is a proxified and sanitized view of the page, visit original site.