Skip to content

Commit 7e7f8fa

Browse files
Switch PyPI publishing to OIDC trusted publishing (no API tokens needed)
- Add id-token: write permissions to publish-test and publish-prod jobs - Remove password/API token references in favor of OIDC authentication - Remove unnecessary checkout step from publish-test job Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 1e81236 commit 7e7f8fa

1 file changed

Lines changed: 4 additions & 5 deletions

File tree

.github/workflows/ci-cd.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -96,10 +96,10 @@ jobs:
9696
runs-on: ubuntu-latest
9797
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
9898
environment: testpypi
99+
permissions:
100+
id-token: write
99101

100102
steps:
101-
- uses: actions/checkout@v4
102-
103103
- name: Download build artifacts
104104
uses: actions/download-artifact@v4
105105
with:
@@ -109,14 +109,15 @@ jobs:
109109
- name: Publish to TestPyPI
110110
uses: pypa/gh-action-pypi-publish@release/v1
111111
with:
112-
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
113112
repository-url: https://test.pypi.org/legacy/
114113

115114
publish-prod:
116115
needs: test
117116
runs-on: ubuntu-latest
118117
if: github.event_name == 'release' && github.event.action == 'published'
119118
environment: pypi
119+
permissions:
120+
id-token: write
120121

121122
steps:
122123
- uses: actions/checkout@v4
@@ -139,8 +140,6 @@ jobs:
139140

140141
- name: Publish to PyPI
141142
uses: pypa/gh-action-pypi-publish@release/v1
142-
with:
143-
password: ${{ secrets.PYPI_API_TOKEN }}
144143

145144
security:
146145
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)