Skip to content

Use PyPI Trusted Publishing (OIDC) in publish.yml instead of an API token#31

Merged
bradymholt merged 2 commits into
mainfrom
pypi-trusted-publishing
Jul 2, 2026
Merged

Use PyPI Trusted Publishing (OIDC) in publish.yml instead of an API token#31
bradymholt merged 2 commits into
mainfrom
pypi-trusted-publishing

Conversation

@bradymholt

@bradymholt bradymholt commented Jul 2, 2026

Copy link
Copy Markdown
Member

I've configured GitHub Actions as a Trusted Publisher for this project on PyPI, so the publish workflow no longer needs a long-lived API token. This swaps the token-based poetry publish step for the official pypa/gh-action-pypi-publish action, which authenticates via OIDC. Poetry itself doesn't speak OIDC, but it still handles the build; the action just publishes whatever poetry build put in dist/, which is its default package directory.

The job now declares an explicit permissions block to grant id-token: write (required for OIDC). Since declaring permissions drops everything else to none, the block also restores contents: write (creating the GitHub Release) and issues/pull-requests: write (the step that comments on PRs included in the release). The commit-and-push step is unaffected because it uses the GH_API_TOKEN PAT. The new action is pinned by commit SHA to match the rest of the workflow.

The Trusted Publisher on PyPI is configured against this repo and the publish.yml filename, with no environment restriction.

A similar change was made for the Ruby SDK here.

Follow-ups after the first successful publish

  • Delete the POETRY_PYPI_TOKEN_PYPI repo secret
  • Revoke the old API token on PyPI

Replace the API-token-based poetry publish with the official
pypa/gh-action-pypi-publish action, which authenticates via OIDC
now that GitHub Actions is configured as a Trusted Publisher on
PyPI. The job's permissions are now declared explicitly to grant
id-token: write, restoring contents/issues/pull-requests access
the release steps relied on implicitly.
@bradymholt bradymholt changed the title placeholder Use PyPI Trusted Publishing (OIDC) in publish.yml instead of an API token Jul 2, 2026
@socket-security

socket-security Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgithub/​pypa/​gh-action-pypi-publish@​cef221092ed1bacb1cc03d23a2d87d1d172e277b100100100100100

View full report

@bradymholt bradymholt requested review from a team and dbertram and removed request for a team July 2, 2026 16:50
dbertram
dbertram previously approved these changes Jul 2, 2026

@dbertram dbertram left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One possible comment correction + a curiosity.

Approving in case I'm misunderstanding which permissions are needed for which functionality.

Comment thread .github/workflows/publish.yml Outdated
Comment on lines +19 to +20
issues: write # comment on PRs included in the release
pull-requests: write

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
issues: write # comment on PRs included in the release
pull-requests: write
issues: write
pull-requests: write # comment on PRs included in the release

?

Also, just curious, but what is the issues: write needed for?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question - I confirmed and issues: write isn't needed at all. Commenting on a PR via the issues.createComment API keys its permission off the target resource, so pull-requests: write covers it. We never comment on a real issue here, so I dropped issues: write entirely and moved your comment onto pull-requests: write in 9fd31c1. Thanks!

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up nit: can/should we drop the issues: write permission from that ynab-sdk-ruby GH workflow as well then?

Commenting on PRs via the issues API keys its permission off the
target resource, so pull-requests: write covers it. The workflow
never comments on a real issue, so issues: write was unnecessary.

@dbertram dbertram left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bradymholt bradymholt merged commit 066eaa7 into main Jul 2, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants