Skip to content

ci(release): PyPI Trusted Publishing #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
denfry merged 1 commit into from
Jun 24, 2026
Merged

ci(release): PyPI Trusted Publishing #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,7 @@ name: Release
on:
push:
tags: ["v*"]

permissions:
contents: write # create the GitHub release (the sole distribution channel)
workflow_dispatch: # manual (re)publish — e.g. push an already-tagged version to PyPI

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Limit manual PyPI publishes to main

When a maintainer manually dispatches this workflow from any branch other than main (GitHub's manual-run UI/CLI allow selecting a branch/ref, and github.ref then points at that ref), the build checks out that branch and pypi-publish still gets OIDC credentials and uploads it. That contradicts the "current main build" release path and can publish an unreviewed branch/version to PyPI without a GitHub release; add an if guard for workflow_dispatch on refs/heads/main or explicitly check out main for manual publishes.

Useful? React with 👍 / 👎.


jobs:
build:
Expand All @@ -31,7 +29,12 @@ jobs:

github-release:
needs: build
# Only when a tag was pushed — a manual workflow_dispatch run publishes to
# PyPI without recreating the GitHub release for an existing tag.
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
permissions:
contents: write # create the GitHub release
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
Expand All @@ -43,3 +46,17 @@ jobs:
with:
files: dist/*
generate_release_notes: true

pypi-publish:
needs: build
runs-on: ubuntu-latest
environment: pypi
permissions:
id-token: write # OIDC for PyPI Trusted Publishing — no token stored anywhere
steps:
- uses: actions/download-artifact@v4
with:
name: dist
path: dist
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
8 changes: 5 additions & 3 deletions docs/RELEASE_CHECKLIST.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
# Release Checklist

A repeatable, copy-pasteable checklist for cutting a `codebase-index` release.
Distribution is **GitHub-only** today (no PyPI publish yet — see "Future
hardening"). Tagging `v*` triggers `.github/workflows/release.yml`, which builds,
`twine check`s, runs the clean-machine smoke, and publishes a GitHub release.
Tagging `v*` triggers `.github/workflows/release.yml`, which builds,
`twine check`s, runs the clean-machine smoke, publishes a **GitHub release**, and
publishes to **PyPI** via Trusted Publishing (OIDC — no stored token). A manual
`workflow_dispatch` run publishes the current `main` build to PyPI without
recreating a GitHub release (used to publish an already-tagged version).

Work top to bottom. Do not tag until every required box is checked.

Expand Down
Loading