Skip to content

Migrate publish workflow to OIDC trusted publishing#2

Merged
MrTravisB merged 1 commit intomainfrom
travis/trusted-pub
Nov 12, 2025
Merged

Migrate publish workflow to OIDC trusted publishing#2
MrTravisB merged 1 commit intomainfrom
travis/trusted-pub

Conversation

@MrTravisB
Copy link
Copy Markdown
Collaborator

@MrTravisB MrTravisB commented Nov 12, 2025

Summary

Migrates the publish workflow from API token authentication to OIDC trusted publishing for both PyPI and TestPyPI.

Changes

  • Added id-token: write and contents: read permissions at both workflow and job levels
  • Replaced twine upload commands with pypa/gh-action-pypi-publish@release/v1 action
  • Removed dependency on TEST_PYPI_API_TOKEN and PYPI_API_TOKEN secrets
  • Maintained existing package verification steps for TestPyPI

Benefits

  • More secure: Uses short-lived OIDC tokens instead of long-lived API tokens
  • No token management: No secrets to rotate or secure
  • Better auditability: PyPI can verify which workflow published each version
  • Simpler maintenance: Fewer secrets to manage in repository settings

Configuration Required

Before merging, trusted publishers must be configured on both platforms:

TestPyPI

https://test.pypi.org/manage/account/publishing/

  • Owner: Mozilla-Ocho
  • Repository: tabstack-python
  • Workflow: publish.yml
  • Environment: (leave blank)

PyPI

https://pypi.org/manage/account/publishing/

  • Same configuration as TestPyPI

🤖 Generated with Claude Code

@MrTravisB @claude
Update publish workflow to use OIDC trusted publishing
7633fd7 
- Add id-token and contents permissions at workflow and job level
- Replace twine uploads with pypa/gh-action-pypi-publish action
- Remove API token dependencies (TEST_PYPI_API_TOKEN, PYPI_API_TOKEN)
- Maintain existing verification steps for TestPyPI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@MrTravisB MrTravisB merged commit d0ee25c into main Nov 12, 2025
6 checks passed
@MrTravisB MrTravisB deleted the travis/trusted-pub branch November 12, 2025 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MrTravisB