ci: migrate PyPI publishing to OIDC Trusted Publishing#363
Merged
jesseturner21 merged 1 commit intomainfrom Mar 24, 2026
Merged
ci: migrate PyPI publishing to OIDC Trusted Publishing#363jesseturner21 merged 1 commit intomainfrom
jesseturner21 merged 1 commit intomainfrom
Conversation
sundargthb
force-pushed
the
ci/trusted-publishing-oidc
branch
from
6a450c6 to
69a60f7
Compare
tejaskash
approved these changes
Mar 24, 2026
jesseturner21
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrate PyPI Publishing to Trusted Publishing
Update our PyPI release workflow by migrating from a long-lived API token to OpenID Connect (OIDC) Trusted Publishing — the current recommended approach by PyPI for publishing from GitHub Actions.
What changed
Long-lived API tokens are a maintenance burden. With this change, GitHub will now generate a short-lived cryptographic token at publish time that PyPI verifies directly. The token is scoped to a single workflow run and expires immediately after.
What else was improved
The version existence check before publishing was updated to use the official PyPI JSON API, which is stable and versioned, replacing a previous approach that was fragile across different environments.
After this PR merges
Once the next release confirms publishing works correctly, the old PYPI_API_TOKEN secret should be deleted from the repo settings and the corresponding token removed from PyPI account settings.
No functional change to the release process: The trigger, the approval gate, the build steps, and the GitHub Release creation are all identical to before. Only the authentication mechanism for the PyPI publish step has changed.