Skip to content

ci: use OIDC trusted publishing via wevm/changelogs#138

Merged
brendanjryan merged 1 commit into
mainfrom
brendan/fix-publish-pypi-token
May 2, 2026
Merged

ci: use OIDC trusted publishing via wevm/changelogs#138
brendanjryan merged 1 commit into
mainfrom
brendan/fix-publish-pypi-token

Conversation

@brendanjryan

@brendanjryan brendanjryan commented May 2, 2026

Copy link
Copy Markdown
Collaborator

Problem

Releases since v0.6.0 have been failing with 403 Forbidden from PyPI:

ERROR    HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/

Root cause: wevm/changelogs did not support PyPI Trusted Publishing — it required a static pypi-token input, which we had not configured.

Fix

Two-part fix:

  1. Upstream: tempoxyz/changelogs#116 added native OIDC trusted publishing to the action. When pypi-token is empty and the workflow has id-token: write, it mints a short-lived PyPI API token via PyPI's _/oidc/mint-token endpoint and uses it as TWINE_PASSWORD for the existing twine upload.
  2. This PR: bump the action ref to the merge commit and grant id-token: write + environment: release so the OIDC mint flow runs.

@brendanjryan brendanjryan force-pushed the brendan/fix-publish-pypi-token branch from e165a90 to 7aa14fa Compare May 2, 2026 19:10
@brendanjryan brendanjryan changed the title ci: pass PYPI_API_TOKEN to changelogs publish ci: use OIDC trusted publishing for PyPI releases May 2, 2026
wevm/changelogs now natively supports PyPI Trusted Publishing (OIDC)
as of tempoxyz/changelogs#116. When pypi-token is empty and the
workflow has id-token: write, it mints a short-lived PyPI API token
by exchanging the GitHub OIDC ID token at PyPI's _/oidc/mint-token
endpoint, removing the need for a long-lived static API token.

Pin to the merge commit (de02501) until a new changelogs release is
cut, and grant id-token: write + environment: release to the release
job so the OIDC mint flow runs and matches the registered Trusted
Publisher (tempoxyz/pympp + publish.yml + release).
@brendanjryan brendanjryan force-pushed the brendan/fix-publish-pypi-token branch from 7aa14fa to 0126559 Compare May 2, 2026 19:26
@brendanjryan brendanjryan changed the title ci: use OIDC trusted publishing for PyPI releases ci: use OIDC trusted publishing via wevm/changelogs May 2, 2026
@brendanjryan brendanjryan merged commit add1c6b into main May 2, 2026
11 checks passed
@brendanjryan brendanjryan deleted the brendan/fix-publish-pypi-token branch May 2, 2026 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant