ci: fix PyPI publish 403 by granting OIDC perms to changelogs job#137
Conversation
The wevm/changelogs action runs twine upload itself from the `release` job, but that job had neither `id-token: write` nor `environment: release`, so PyPI Trusted Publishing rejected the upload with 403 Forbidden. Add both to the `release` job so the OIDC token issued matches the PyPI trusted publisher entry (tempoxyz/pympp + publish.yml + release).
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ad950ba81c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| environment: release | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
Granting release OIDC permissions here makes wevm/changelogs able to publish from the release job, and that action sets published=true when it uploads. In this workflow, that output immediately triggers the separate publish job (if: needs.release.outputs.published == 'true'), which attempts to upload the same version again via pypa/gh-action-pypi-publish; its default is to fail on duplicates (skip-existing is disabled by default), so successful releases can still end in a failed workflow run.
Useful? React with 👍 / 👎.
1 participant
Problem
Every release commit since
v0.6.0has failed to publish to PyPI with403 Forbidden:PyPI shows
0.6.0(Apr 7) as the last published version —0.6.2,0.6.3, and0.7.0never landed.Root cause
The
wevm/changelogsaction runstwine uploaditself from inside thereleasejob. PyPI Trusted Publishing requires:id-token: writepermission (to mint an OIDC token)releaseenvironment (matching the publisher entry)The
releasejob had neither — onlycontents: writeandpull-requests: write. So the OIDC claim either wasn't issued or didn't match the trusted publisher entry, and PyPI returned 403.The separate
publishjob below was correctly configured but never ran becausereleaseerrored out, and is redundant since changelogs already handles the upload.Fix
Add
environment: releaseandid-token: writeto thereleasejob so the OIDC token issued matches the PyPI trusted publisher entry (tempoxyz/pympp+publish.yml+release).