Skip to content

Commit 34a2575

Browse files
authored
Use PyPI Trusted Publishing for publishing releases (#640)
### Summary - Switch PyPI publishing to Trusted Publishing via GitHub OIDC. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes how production packages are authenticated and published; misconfigured PyPI Trusted Publishing or job permissions would block releases until fixed. > > **Overview** > Release publishing no longer uses a long-lived **`PYPI`** secret with **`uv publish`**. The **`build-and-publish`** job now grants **`id-token: write`** (and **`contents: read`**) and uploads wheels/sdists with **`pypa/gh-action-pypi-publish@release/v1`**, which authenticates to PyPI through GitHub OIDC Trusted Publishing. > > **`uv build`** is unchanged; only the upload step and job permissions differ. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit dc048fa. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
1 parent ade2e58 commit 34a2575

1 file changed

Lines changed: 4 additions & 3 deletions

File tree

.github/workflows/auto-release.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,9 @@ jobs:
251251
runs-on: ubuntu-latest
252252
needs: [gate, release]
253253
if: needs.gate.outputs.should_release == 'true'
254+
permissions:
255+
contents: read
256+
id-token: write
254257

255258
steps:
256259
- name: Check out repository
@@ -281,6 +284,4 @@ jobs:
281284
run: uv build
282285

283286
- name: Publish to PyPI
284-
env:
285-
UV_PUBLISH_TOKEN: ${{ secrets.PYPI }}
286-
run: uv publish
287+
uses: pypa/gh-action-pypi-publish@release/v1

0 commit comments

Comments
 (0)