Context
The migration from wphillipmoore to mq-rest-admin-project changed the GitHub repository owner. PyPI trusted publishing (OIDC) is configured per-repository, and the publisher configuration must match the new organization and repository name for publishing to succeed.
Current state
- PyPI package name:
pymqrest (unchanged)
- Package version: 1.2.3
- Publishing via OIDC trusted publishing (no API tokens)
- CD workflow uses
vergil-project/vergil-actions/.github/workflows/cd-release.yml@v2.0 with registry-publish: true
id-token: write permission is set in cd.yml- Previous releases were published from
wphillipmoore/mq-rest-admin-python
What needs to happen
-
Update trusted publisher on PyPI — The existing OIDC trusted publisher is configured for the old owner (wphillipmoore). It must be updated to match the new organization at pypi.org/manage/project/pymqrest/settings/publishing/:
- Owner:
mq-rest-admin-project (was wphillipmoore)
- Repository:
mq-rest-admin-python (unchanged)
- Workflow name:
cd-release.yml or whatever the reusable workflow resolves to — verify the exact workflow filename that PyPI sees in the OIDC token claims
- Environment: (check if the reusable workflow uses a GitHub environment)
-
Reusable workflow OIDC claims — Since publishing goes through vergil-project/vergil-actions/.github/workflows/cd-release.yml, the OIDC token job_workflow_ref claim will reference the reusable workflow, not cd.yml. The trusted publisher configuration on PyPI must match this. Check how other vergil-project repos (e.g. vergil-tooling) have their trusted publisher configured for the pattern.
-
Test the pipeline — Before cutting a real release, verify the OIDC handshake works. A failed publish on the first release from the new org would be disruptive. Options:
- Check PyPI trusted publisher debug logs from a previous successful publish for the exact claim values
- Do a test release with a patch bump
-
PyPI project ownership — Verify that the PyPI project pymqrest is accessible to the maintainer account. The package was originally published from the personal GitHub account; PyPI account ownership is independent of GitHub organization.
Reference
Context
The migration from
wphillipmooretomq-rest-admin-projectchanged the GitHub repository owner. PyPI trusted publishing (OIDC) is configured per-repository, and the publisher configuration must match the new organization and repository name for publishing to succeed.Current state
pymqrest(unchanged)vergil-project/vergil-actions/.github/workflows/cd-release.yml@v2.0withregistry-publish: trueid-token: writepermission is set incd.ymlwphillipmoore/mq-rest-admin-pythonWhat needs to happen
Update trusted publisher on PyPI — The existing OIDC trusted publisher is configured for the old owner (
wphillipmoore). It must be updated to match the new organization at pypi.org/manage/project/pymqrest/settings/publishing/:mq-rest-admin-project(waswphillipmoore)mq-rest-admin-python(unchanged)cd-release.ymlor whatever the reusable workflow resolves to — verify the exact workflow filename that PyPI sees in the OIDC token claimsReusable workflow OIDC claims — Since publishing goes through
vergil-project/vergil-actions/.github/workflows/cd-release.yml, the OIDC tokenjob_workflow_refclaim will reference the reusable workflow, notcd.yml. The trusted publisher configuration on PyPI must match this. Check how other vergil-project repos (e.g. vergil-tooling) have their trusted publisher configured for the pattern.Test the pipeline — Before cutting a real release, verify the OIDC handshake works. A failed publish on the first release from the new org would be disruptive. Options:
PyPI project ownership — Verify that the PyPI project
pymqrestis accessible to the maintainer account. The package was originally published from the personal GitHub account; PyPI account ownership is independent of GitHub organization.Reference
release-workflow.mddocuments the setup steps