From 4b37ab65ecf3f3a71504481091c78a9df5ec698c Mon Sep 17 00:00:00 2001 From: Andrey Markelov Date: Thu, 9 Jul 2026 14:44:41 -0700 Subject: [PATCH 1/2] Publish to PyPI via AWS Secrets Manager (OIDC) The v12.1.0 release failed to upload because secrets.pypi_secret is no longer set on this repo (403 Forbidden, empty token). The dropbox/stone repo already migrated publishing off GitHub secrets to a PyPI token fetched from AWS Secrets Manager via GitHub OIDC; mirror that here. The role-to-assume and secret ARNs are placeholders scoped to this repo -- they must be provisioned for dropbox-sdk-python before the workflow can authenticate (stone's ARNs will not work, as the IAM trust policy is scoped to a single repo). Also adds workflow_dispatch so a maintainer can re-trigger the publish without cutting a new release. --- .github/workflows/pypiupload.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pypiupload.yml b/.github/workflows/pypiupload.yml index 3bdbe7a..a76388a 100644 --- a/.github/workflows/pypiupload.yml +++ b/.github/workflows/pypiupload.yml @@ -6,13 +6,33 @@ name: Publish to PyPi on: release: types: [created] + workflow_dispatch: # Allow manual trigger for testing jobs: deploy: runs-on: ubuntu-latest + permissions: # required for OIDC authentication + id-token: write + contents: read steps: - uses: actions/checkout@v5 + + # NOTE: The IAM role and Secrets Manager secret below must be provisioned + # for the dropbox-sdk-python repo. The stone repo's role/secret ARNs will + # NOT work here -- the role's trust policy is scoped to a single repo. + - name: Configure AWS credentials (OIDC) + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::082972943155:role/oidc-github-dropbox-sdk-python-repo + aws-region: us-west-2 + - name: Get PyPI token from AWS Secrets Manager + id: get-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + PYPI_SECRET,arn:aws:secretsmanager:us-west-2:082972943155:secret:pypi-api-token-dropbox-sdk-python + parse-json-secrets: false - name: Setup Python environment uses: actions/setup-python@v6 with: @@ -26,7 +46,7 @@ jobs: - name: Publish env: TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.pypi_secret }} + TWINE_PASSWORD: ${{ env.PYPI_SECRET }} run: | twine check dist/* twine upload dist/* From f94001213752bb317b6e68b92c13390b3713ea17 Mon Sep 17 00:00:00 2001 From: Andrey Markelov Date: Thu, 9 Jul 2026 16:55:23 -0700 Subject: [PATCH 2/2] Fix OIDC role name and reference PyPI secret by name The role-to-assume used the wrong name: the provisioned role encodes both the org and the repo (dropbox / dropbox-sdk-python), so it is oidc-github-dropbox-dropbox-sdk-python-repo, not oidc-github-dropbox-sdk-python-repo. The old name would never resolve and the OIDC assume would fail. Also reference the PyPI secret by its friendly name instead of a full ARN. Secrets Manager appends a random suffix to the ARN, so the name is the stable identifier and avoids hardcoding a suffix that is not known until the secret is created. --- .github/workflows/pypiupload.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pypiupload.yml b/.github/workflows/pypiupload.yml index a76388a..8600c5f 100644 --- a/.github/workflows/pypiupload.yml +++ b/.github/workflows/pypiupload.yml @@ -18,20 +18,19 @@ jobs: steps: - uses: actions/checkout@v5 - # NOTE: The IAM role and Secrets Manager secret below must be provisioned - # for the dropbox-sdk-python repo. The stone repo's role/secret ARNs will - # NOT work here -- the role's trust policy is scoped to a single repo. - name: Configure AWS credentials (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::082972943155:role/oidc-github-dropbox-sdk-python-repo + role-to-assume: arn:aws:iam::082972943155:role/oidc-github-dropbox-dropbox-sdk-python-repo aws-region: us-west-2 - name: Get PyPI token from AWS Secrets Manager id: get-secret uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: + # Referenced by friendly name; Secrets Manager appends a random suffix to + # the full ARN, so the name is the stable identifier. secret-ids: | - PYPI_SECRET,arn:aws:secretsmanager:us-west-2:082972943155:secret:pypi-api-token-dropbox-sdk-python + PYPI_SECRET,pypi-api-token-dropbox-sdk-python parse-json-secrets: false - name: Setup Python environment uses: actions/setup-python@v6