Skip to content

Commit d1cb17e

Browse files
MHoroszowskiclaude
andcommitted
ci: add PyPI Trusted Publishing workflow
Adds .github/workflows/publish.yml so future releases publish to PyPI automatically when a GitHub Release is published, using PyPI's OIDC Trusted Publishing instead of a long-lived API token stored as a repo secret. Workflow: - build job: checkout, build sdist+wheel, twine check, upload as workflow artifact. - publish-pypi job: downloads the artifact and uploads to PyPI via pypa/gh-action-pypi-publish, gated on the `pypi` environment with id-token write permission for OIDC. One-time setup required on PyPI side (cannot be done from this repo): 1. https://pypi.org/manage/project/python-pptx-extended/settings/publishing/ 2. Add a GitHub publisher with: owner: MHoroszowski repository: python-pptx workflow: publish.yml environment: pypi 3. (Recommended) Create a `pypi` environment in repo Settings → Environments with branch protection requiring tag-based deploys. Triggering a release after setup: - Cut a GitHub Release pointing at a vX.Y.Z tag — this fires the workflow on `release: published`. - workflow_dispatch is also wired for manual re-runs / overrides. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 14ee64c commit d1cb17e

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

.github/workflows/publish.yml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
name: publish
2+
3+
# Builds and publishes python-pptx-extended to PyPI using PyPI Trusted
4+
# Publishing (OIDC). No long-lived API token is stored in repo secrets — the
5+
# workflow's identity is verified by PyPI against the configured Trusted
6+
# Publisher (see one-time setup in the PR description).
7+
#
8+
# Triggers:
9+
# - GitHub Release published (recommended path: cut a release in the GH UI)
10+
# - Manual workflow_dispatch (override / re-run)
11+
#
12+
# Tag pushes alone do not trigger this; create a Release pointing at the tag.
13+
14+
on:
15+
release:
16+
types: [published]
17+
workflow_dispatch:
18+
19+
jobs:
20+
build:
21+
name: Build sdist and wheel
22+
runs-on: ubuntu-latest
23+
steps:
24+
- uses: actions/checkout@v4
25+
- name: Set up Python
26+
uses: actions/setup-python@v5
27+
with:
28+
python-version: "3.12"
29+
- name: Install build tooling
30+
run: python -m pip install --upgrade build
31+
- name: Build distributions
32+
run: python -m build
33+
- name: Verify metadata renders
34+
run: |
35+
python -m pip install --upgrade twine
36+
python -m twine check dist/*
37+
- name: Upload build artifacts
38+
uses: actions/upload-artifact@v4
39+
with:
40+
name: dist
41+
path: dist/
42+
43+
publish-pypi:
44+
name: Publish to PyPI
45+
needs: build
46+
runs-on: ubuntu-latest
47+
environment:
48+
name: pypi
49+
url: https://pypi.org/project/python-pptx-extended/
50+
permissions:
51+
id-token: write
52+
steps:
53+
- name: Download build artifacts
54+
uses: actions/download-artifact@v4
55+
with:
56+
name: dist
57+
path: dist/
58+
- name: Publish to PyPI
59+
uses: pypa/gh-action-pypi-publish@release/v1

0 commit comments

Comments
 (0)