.. _oa-ghaw-trusted-publishing:

Using These Workflows with Trusted Publishing
---------------------------------------------

`Trusted Publishing <https://docs.pypi.org/trusted-publishers/>`__ is a feature of PyPI which uses short lived tokens generated by a configured CI platform, in this case GitHub Actions.

Currently, there is no direct support for using trusted publishing within a reuseable workflow, see `this issue <https://github.com/OpenAstronomy/github-actions-workflows/issues/136>`__ and links there-in.
To work around this limitation the :ref:`oa-ghaw-publish` and :ref:`oa-ghaw-publish-pure` workflows support uploading the built distributions as artifacts which can then be used by a subsequent job to upload to PyPI.

Taking the example from :ref:`oa-ghaw-publish`, we add two new lines:


.. code-block:: yaml
   :emphasize-lines: 5,6

   jobs:
     build:
       uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v1
       with:
         save_artifacts: true
         upload_to_pypi: false
         test_groups: test, concurrency
         test_extras: recommended
         test_command: pytest --pyargs test_package
         targets: |
           - linux
           - cp3?-macosx_x86_64


Setting ``upload_to_pypi: false`` means that the publish (or publish_pure) workflow will never try and upload to PyPI by itself.
The ``save_artifacts: true`` means that it will always run the ``actions/upload-artifact`` job so subsequent jobs in the workflow can use the dists.

Next we have to configure a new job, which downloads the artifacts and then uses the `gh-action-pypi-publish <https://github.com/pypa/gh-action-pypi-publish>`__ action to upload to PyPI.
As we are planning on using trusted publishing, we need to configure no options for this action.
We also add an if statement to the job so that it only runs on tags starting with a ``v``.

.. code:: yaml

   jobs:
     build:
       ...

     upload:
       if: startsWith(github.ref, 'refs/tags/v')
       name: Upload built artifacts to PyPI
       runs-on: ubuntu-latest
       needs: [build]
       permissions:
         id-token: write
       steps:
         - name: Download artifacts
           uses: actions/download-artifact@v7
           with:
             merge-multiple: true
             pattern: dist-*
             path: dist

         - name: Run upload
           uses: pypa/gh-action-pypi-publish@release/v1


You will also need to `Add a Trusted Publisher <https://docs.pypi.org/trusted-publishers/adding-a-publisher/>`__ to your PyPI project.
If, as recommended, you are using a deployment environment then don't forget to add that to the job description as well.