-
Notifications
You must be signed in to change notification settings - Fork 0
OIDC trusted publishing setup
Migrated from paxman repositorys docs/sprints/ folder as part of the Sprint 11 repo springclean.
Date: 2026-06-26 Sprint: Sprint 9 — Production Hardening Deliverable: D9.9 Status: Manual setup required (one-time, by repo admin)
Paxman uses PyPI Trusted Publishing (OpenID Connect) to publish to TestPyPI and (in Sprint 10) to PyPI. This means:
- No API tokens are stored in the repo or in the GitHub Actions environment.
- The GitHub Actions runner authenticates the publish request using a short-lived OIDC token, which PyPI validates against the trusted publisher config.
- This eliminates the risk of a leaked API token being used to publish a malicious release.
Per V1_ACCEPTANCE_CRITERIA.md §3.1 and SECURITY.md §3.3, secrets-by-reference
is a hard requirement; OIDC trusted publishing is the implementation of that
principle for PyPI releases.
- Go to https://test.pypi.org/manage/project/paxman/settings/publishing/
- Click "Add a new pending publisher"
- Fill in:
-
PyPI Project Name:
paxman -
Owner:
nexusnv -
Repository name:
paxman -
Workflow filename:
release.yml -
Environment name:
testpypi
-
PyPI Project Name:
- Click "Add"
Important: The "Environment name" field on the publisher must match the
environment: ...key in the workflow's publish job. For TestPyPI, the publisher usestestpypiand the workflow hasenvironment: testpypion thepublish-testpypijob. For PyPI, the publisher usespypiand the workflow hasenvironment: pypion thepublish-pypijob.
Same pattern as TestPyPI:
- Go to https://pypi.org/manage/project/paxman/settings/publishing/
- Click "Add a new pending publisher"
- Fill in:
-
PyPI Project Name:
paxman -
Owner:
nexusnv -
Repository name:
paxman -
Workflow filename:
release.yml -
Environment name:
pypi
-
PyPI Project Name:
- Click "Add"
Create GitHub environments to gate publishing:
- Go to https://github.com/nexusnv/paxman/settings/environments
- Create
testpypienvironment (no required reviewers needed for Sprint 10) - Create
pypienvironment (consider requiring 1+ review for production)
The release workflow (.github/workflows/release.yml) already references these
environment names on the publish jobs.
After setup, you should be able to:
- Create a tag:
git tag v0.5.0 && git push origin v0.5.0(Usegit push origin <tag-name>— nevergit push --tags, which can publish multiple tags unintentionally.) - GitHub Actions will trigger the
release.ymlworkflow - The workflow will run the full CI gates, then publish to TestPyPI
- Check https://test.pypi.org/project/paxman/ for the published package
-
No API tokens in repo:
grep -r "pypi_\|API_TOKEN" .github/returns no matches - No API tokens in environment: The GitHub OIDC token is short-lived (max 1 hour)
-
No secret in CI logs: The
pypa/gh-action-pypi-publishaction handles OIDC transparently -
Tamper-evident: A
SHA256SUMSchecksum file is generated as a post-build step (cd dist && sha256sum *.whl *.tar.gz > SHA256SUMS). Users verify artifact integrity withcd dist && sha256sum -c SHA256SUMS. This is distinct from the V1 replay hash (replay_hash), which is a separate deterministic signature of the normalization pipeline — the two mechanisms are complementary:SHA256SUMScovers distribution integrity, whilereplay_hashcovers normalization determinism.
Per the sprint risk register: "OIDC trusted publisher setup has a subtle misconfiguration: Medium likelihood, High impact. Test with TestPyPI first. Read PyPI's trusted publishing docs carefully. If OIDC fails, fall back to a token temporarily and document the rollback."
The fallback is to use a PyPI API token as a GitHub Actions secret:
- Generate a token at https://test.pypi.org/manage/account/token/
- Add it as a GitHub secret:
TESTPYPI_API_TOKEN - Temporarily modify
.github/workflows/release.ymlto usepassword: ${{ secrets.TESTPYPI_API_TOKEN }} - Document the rollback in this file and the release notes
This is NOT preferred — OIDC is the production path. The fallback exists for emergency recovery only.
- https://docs.pypi.org/trusted-publishers/
- https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication
- https://github.com/pypa/gh-action-pypi-publish#trusted-publishing
-
../SECURITY.md§3.3 — what the artifact contains (no secrets) -
../DEPENDENCIES.md— dependency policy