Skip to content

Feat/npm pypi packaging#31

Merged
alxxjohn merged 3 commits into
mainfrom
feat/npm-pypi-packaging
Jul 3, 2026
Merged

Feat/npm pypi packaging#31
alxxjohn merged 3 commits into
mainfrom
feat/npm-pypi-packaging

Conversation

@alxxjohn

@alxxjohn alxxjohn commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

No description provided.

alxxjohn and others added 3 commits July 3, 2026 13:59
PyPI (warehouse) matches the OIDC job_workflow_ref claim — the file that
runs the publish step (release.yml) — not workflow_ref (the cd.yml caller).
The earlier docs said cd.yml for both registries, which produced
invalid-publisher on PyPI. npm is the opposite and matches the caller, so:
  - PyPI  -> release.yml
  - npm   -> cd.yml
No workflow code change; only the trusted-publisher config differs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Trusted-publisher AUTH matches job_workflow_ref (release.yml), but the PEP
740 attestation's Build Config URI is taken from workflow_ref (the cd.yml
caller), so PyPI rejects the upload with a 400: the attestation can never
match the release.yml publisher when the publish step runs in a reusable
workflow. Set attestations: false. Release artifacts still carry SLSA
provenance + cosign signatures from GoReleaser.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The publish jobs previously ran inside the reusable release.yml, which split
the OIDC claims (workflow_ref=cd.yml vs job_workflow_ref=release.yml). PyPI
auth matched release.yml but the PEP 740 attestation's Build Config URI came
from cd.yml, so no single trusted publisher satisfied both and uploads failed
with 400 Invalid attestations. This is the difference from szr, whose
release.yml is triggered directly on the tag push (both claims resolve to
release.yml).

Move publish-npm and publish-pypi into cd.yml (the top-level entry workflow),
running after stable-release. Both OIDC claims now resolve to cd.yml, so a
single trusted publisher (cd.yml) works for npm and PyPI with attestations on.
Removed attestations: false. Configure both trusted publishers with cd.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alxxjohn alxxjohn merged commit 68740f2 into main Jul 3, 2026
14 checks passed
@alxxjohn alxxjohn deleted the feat/npm-pypi-packaging branch July 3, 2026 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant