Supported PyPI trusted publishers

[lpsinger]

See https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/, https://docs.pypi.org/trusted-publishers/using-a-publisher/.

To support trusted publishers, add this to the pypa/gh-action-pypi-publish step:

permissions:
  id-token: write

Perhaps a boolean flag to turn this on or off?

[ConorMacBride]

I think we need to wait for pypi/warehouse#11096 to be closed before this will work in the reusable workflows unfortunately.

Once it is, adding what you have above to the upload job in each publish workflow should be all that is needed. The user and password inputs should be okay to keep — it will attempt the trusted publisher authentication when the password is empty. I think it should be fine without an additional flag to enable.

[pllim]

Any update on this? Has the situation changed? PyPA merged the recommendations into https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

[Cadair]

Last I checked (a couple of weeks ago) it's still unsupported upstream.

[Cadair]

Looks like if you forked the templates into the same org you could maybe make it work: pypi/warehouse#11096 (comment)

[mhvk]

Saw the github notifications about trusted publishers while building pyerfa - is there any update on how this should be done? Feel free to point me to documentation... (Right now, google/duckduckgo both lead to this issue, so that would help others too...)

[pllim]

AFAIK PyPI has not implemented the support yet. This issue is still unresolved:

• Trusted publishing: Support for GitHub reusable workflows pypi/warehouse#11096

[Cadair]

yep we are waiting for upstream support. Apparently it's being worked on currently.

[mhvk]

Thanks, both! Funny that github is pushing it so much if it only half works...

[astrofrog]

APLpy has started erroring on upload to PyPI because of this:

Error: Trusted publishing exchange failure: 
OpenID Connect token retrieval failed: GitHub: missing or insufficient OIDC token permissions, the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable was unset

This generally indicates a workflow configuration error, such as insufficient
permissions. Make sure that your workflow has `id-token: write` configured
at the job level, e.g.:

permissions:
  id-token: write

Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.

https://github.com/aplpy/aplpy/actions/runs/11846325120/job/33013937737

Is there any workaround at this point?

[astrofrog]

Should we perhaps change the workflows to use twine do to the upload ourselves instead of using pypa/gh-action-pypi-publish? Or would that not fix it?

[pllim]

I think you have to disable trusted publishing if you use the workflow from here, for now.

[astrofrog]

@pllim - how does one do this?

[pllim]

I cannot see aplpy admin page, but on my own package , here is how I get to it:

1. Log in to PyPI.
2. Your Projects -> package name -> Manage
3. Select Publishing from left navbar
4. See screenshot below