Skip to content

ci: switch to PyPI Trusted Publishing (OIDC)#114

Merged
ad-m merged 1 commit intomasterfrom
ci/trusted-publishing
Mar 7, 2026
Merged

ci: switch to PyPI Trusted Publishing (OIDC)#114
ad-m merged 1 commit intomasterfrom
ci/trusted-publishing

Conversation

@ad-m
Copy link
Owner

@ad-m ad-m commented Mar 7, 2026

Summary

  • Replace API token-based PyPI authentication with OpenID Connect (OIDC) Trusted Publishing
  • Separate build and publish into distinct jobs for better security (build artifacts are uploaded/downloaded between jobs)
  • Pin actions to latest stable versions (actions/checkout@v4, actions/setup-python@v5, pypa/gh-action-pypi-publish@release/v1)
  • Trigger only on tag pushes (previously triggered on all pushes, with tag condition only on the publish step)
  • Use python -m build instead of setup.py sdist bdist_wheel

Manual setup steps required

Before this workflow will work, the following manual configuration is needed:

1. Create GitHub Environments

In the repository Settings > Environments, create two environments:

  • pypi - for publishing to production PyPI
  • testpypi - for publishing to Test PyPI

2. Configure Trusted Publishers on PyPI

On PyPI:

  1. Go to Manage > Publishing for the python-anticaptcha project
  2. Add a new GitHub publisher with:
    • Owner: ad-m
    • Repository: python-anticaptcha
    • Workflow name: publish.yml
    • Environment name: pypi

3. Configure Trusted Publishers on TestPyPI

On TestPyPI:

  1. Same as above but with environment name: testpypi

4. Remove old secrets

Once trusted publishing is verified working, remove the now-unused repository secrets:

  • pypi_password
  • test_pypi_password

Recommended hardening

  • Add environment protection rules: In each GitHub environment's settings, add deployment protection rules such as required reviewers, so that publish jobs require manual approval before running
  • Restrict environment to tags only: Under each environment, set Deployment branches and tags to "Selected branches and tags" and add a rule matching only tags (e.g., v* or *) to prevent accidental publishes from branches
  • Enable branch protection on master: Require pull request reviews and status checks before merging, to prevent unauthorized tag creation
  • Consider adding tag protection rules: Under Settings > Tags, add a tag protection rule (e.g., v*) so only maintainers can create release tags
  • Pin the publish action to a commit SHA instead of release/v1 for even stronger supply-chain security (e.g., pypa/gh-action-pypi-publish@<full-sha>)
  • Enable Sigstore signing: pypa/gh-action-pypi-publish supports attestations via Sigstore; consider enabling attestations: true for additional package provenance

Test plan

  • Create GitHub environments (pypi, testpypi) as described above
  • Configure trusted publishers on PyPI and TestPyPI
  • Create a test tag and verify the workflow publishes to TestPyPI
  • Verify the workflow publishes to production PyPI
  • Remove old pypi_password and test_pypi_password secrets

Generated with Claude Code

@claude
ci: switch to PyPI Trusted Publishing (OIDC)
685deab 
Replace API token-based authentication with OpenID Connect trusted
publishing. This eliminates the need for stored PyPI secrets and
improves supply chain security.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ad-m ad-m merged commit b502215 into master Mar 7, 2026
0 of 7 checks passed
ad-m pushed a commit that referenced this pull request Mar 7, 2026
@claude
Update release docs for trusted publishing via GitHub Actions
76d98bd 
Remove manual twine upload step from development docs and add trusted
publishing changelog entry (PR #114).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ad-m added a commit that referenced this pull request Mar 7, 2026
@ad-m @claude
Fix obsolete and invalid documentation (#128)
85ae73f 
* Fix obsolete and invalid documentation across the project

Update outdated references (setup.py → pyproject.toml, TravisCI → GitHub
Actions), fix broken example file links, correct typos and grammar in
README and Sphinx docs, update copyright year range, fix
geckodriver/chromedriver naming confusion in Makefile, update contact
email in CODE_OF_CONDUCT.md, and add comprehensive changelog entries
for all changes since 1.0.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update release docs for trusted publishing via GitHub Actions

Remove manual twine upload step from development docs and add trusted
publishing changelog entry (PR #114).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add documentation for context manager, on_check callback, and ImageToTextTask inputs

Document three recently added features that were missing usage examples:
- Context manager support on AnticaptchaClient
- on_check callback parameter on Job.join()
- ImageToTextTask accepting file paths and raw bytes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Adam Dobrawy <naczelnik@jawne.info.pl>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ad-m