Using These Workflows with Trusted Publishing#
Trusted Publishing is a feature of PyPI which uses short lived tokens generated by a configured CI platform, in this case GitHub Actions.
Currently, there is no direct support for using trusted publishing within a reuseable workflow, see this issue and links there-in. To work around this limitation the Build and publish a Python package and Build and publish a pure Python package workflows support uploading the built distributions as artifacts which can then be used by a subsequent job to upload to PyPI.
Taking the example from Build and publish a Python package, we add two new lines:
jobs:
build:
uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v1
with:
save_artifacts: true
upload_to_pypi: false
test_groups: test, concurrency
test_extras: recommended
test_command: pytest --pyargs test_package
targets: |
- linux
- cp3?-macosx_x86_64
Setting upload_to_pypi: false means that the publish (or publish_pure) workflow will never try and upload to PyPI by itself.
The save_artifacts: true means that it will always run the actions/upload-artifact job so subsequent jobs in the workflow can use the dists.
Next we have to configure a new job, which downloads the artifacts and then uses the gh-action-pypi-publish action to upload to PyPI.
As we are planning on using trusted publishing, we need to configure no options for this action.
We also add an if statement to the job so that it only runs on tags starting with a v.
jobs:
build:
...
upload:
if: startsWith(github.ref, 'refs/tags/v')
name: Upload built artifacts to PyPI
runs-on: ubuntu-latest
needs: [build]
permissions:
id-token: write
steps:
- name: Download artifacts
uses: actions/download-artifact@v7
with:
merge-multiple: true
pattern: dist-*
path: dist
- name: Run upload
uses: pypa/gh-action-pypi-publish@release/v1
You will also need to Add a Trusted Publisher to your PyPI project. If, as recommended, you are using a deployment environment then don’t forget to add that to the job description as well.