Skip to content

ci: PyPI Trusted Publisher + workflow cleanup#182

Merged
cdnninja merged 14 commits into
cdnninja:masterfrom
piitaya:pypi_trusted_publisher
May 24, 2026
Merged

ci: PyPI Trusted Publisher + workflow cleanup#182
cdnninja merged 14 commits into
cdnninja:masterfrom
piitaya:pypi_trusted_publisher

Conversation

@piitaya
Copy link
Copy Markdown
Collaborator

@piitaya piitaya commented May 19, 2026
edited
Loading

Summary

Move PyPI publishing to Trusted Publisher (OIDC) instead of the static token, and tidy up the rest of the workflows on the way.

release.yml keeps doing the auto-bump on push to master. The only change is replacing the deprecated actions/create-release@v1 with a gh release create call.

publish.yml is new. It fires when a GitHub release is published, builds the wheel, and pushes it to PyPI using the OIDC trusted publisher you set up earlier. Build and publish run as two separate jobs so the publish step is the only one with the id-token permission.

ci.yml had pull_request_target checking out the PR head, which is unsafe with forks (the workflow runs with repo secrets in scope). Switched to plain pull_request. Also dropped the unused flake8 step and CDNNINJA_* secrets, and bumped the Python matrix to 3.10-3.13.

Release flow

Nothing changes on your side. Merge a PR with a conventional title (feat:, fix:, feat!:), release.yml tags and creates the release, publish.yml ships it to PyPI.

Notes

The pypi GitHub Environment gets auto-created on the first publish run. Once that run succeeds you can delete the PYPI_API_TOKEN and PYPI_API_TEST secrets.

@piitaya piitaya marked this pull request as draft May 19, 2026 13:16
@piitaya piitaya changed the title ci: switch PyPI publish to Trusted Publisher + attestations ci: PyPI Trusted Publisher + release-triggered publish May 19, 2026
@piitaya piitaya marked this pull request as ready for review May 19, 2026 13:19
@piitaya piitaya changed the title ci: PyPI Trusted Publisher + release-triggered publish ci: simplify release with Trusted Publisher + manual gating May 19, 2026
@piitaya piitaya requested a review from cdnninja May 21, 2026 13:29
@cdnninja
Copy link
Copy Markdown
Owner

cdnninja commented May 23, 2026

Looks like the pypi side was already done and pending. Any option to keep this auto though within github? Right now since I have to merge items or those I trust releases are protected.

piitaya added 3 commits May 23, 2026 22:55
@piitaya
ci: keep auto-release, split publish into its own workflow
f3261a3
@piitaya
Merge branch 'master' into pypi_trusted_publisher
13eae91
@piitaya
ci: harden + modernize workflows
030cbe1 
- ci.yml: pull_request_target -> pull_request (security), drop unused
  flake8 + CDNNINJA_* secrets, Python matrix 3.10-3.13, run on master too
- publish.yml: pin Python 3.12, align setup-python@v6
- release.yml: add concurrency, replace deprecated create-release@v1
  with gh release create, drop ad-m/github-push-action, hoist if to one
  combined step
@piitaya piitaya changed the title ci: simplify release with Trusted Publisher + manual gating ci: PyPI Trusted Publisher + workflow cleanup May 23, 2026
@piitaya
Copy link
Copy Markdown
Collaborator Author

piitaya commented May 23, 2026

@cdnninja I changed the workflow to use automatic releases (same as before)

@cdnninja cdnninja merged commit 8de0f86 into cdnninja:master May 24, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdnninja cdnninja Awaiting requested review from cdnninja

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@piitaya @cdnninja