Why
PR #567 switched `release.yml` from OIDC Trusted Publishing to stored-token auth, because the OIDC path needs a one-time PyPI setup that hasn't been done. The workflow is now wired correctly but cannot actually upload until the secret is present in repo settings — until then it'll fall through to the idempotency-skip path (still green for already-published versions, but doesn't help fresh tags).
What
Add one repo secret:
- `./.env` → copy the value of `POETRY_PYPI_TOKEN_PYPI` (the `pypi-...` string).
- Repo Settings → Secrets and variables → Actions → New repository secret:
- Name: `PYPI_API_TOKEN`
- Value: (paste the token from step 1)
- (optional) Same flow for `TESTPYPI_API_TOKEN` if green TestPyPI dry runs matter.
Verify
After adding the secret, re-run the workflow against v1.0.1 (Actions → "release" → the v1.0.1 run → "Re-run all jobs"). Expected:
- Build step succeeds.
- "Is this version already on PyPI?" step detects 1.0.1, sets `skip=true`, the upload step is skipped.
- `pypi` deployment goes green in the repo widget.
Then on the next release (v1.0.2, v1.1.0, …) the same workflow will actually upload to PyPI instead of skipping — no more manual `set -a; . ./.env; set +a; poetry publish` step.
Acceptance
- `PYPI_API_TOKEN` exists in repo secrets.
- A re-run of the v1.0.1 release workflow completes successfully and the deployment widget shows green.
- The next `v*` Release tag publishes to PyPI without human intervention beyond clicking "Publish release."
Related
Why
PR #567 switched `release.yml` from OIDC Trusted Publishing to stored-token auth, because the OIDC path needs a one-time PyPI setup that hasn't been done. The workflow is now wired correctly but cannot actually upload until the secret is present in repo settings — until then it'll fall through to the idempotency-skip path (still green for already-published versions, but doesn't help fresh tags).
What
Add one repo secret:
Verify
After adding the secret, re-run the workflow against v1.0.1 (Actions → "release" → the v1.0.1 run → "Re-run all jobs"). Expected:
Then on the next release (v1.0.2, v1.1.0, …) the same workflow will actually upload to PyPI instead of skipping — no more manual `set -a; . ./.env; set +a; poetry publish` step.
Acceptance
Related