Skip to content

[WIP] Upgrade pypi_upload.yml to use Trusted Publishing#4900

Closed
Copilot wants to merge 1 commit into
mainfrom
copilot/upgrade-pypi-upload-workflow
Closed

[WIP] Upgrade pypi_upload.yml to use Trusted Publishing#4900
Copilot wants to merge 1 commit into
mainfrom
copilot/upgrade-pypi-upload-workflow

Conversation

Copy link
Copy Markdown

Copilot AI commented Dec 9, 2025

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Upgrade .github/workflows/pypi_upload.yml to use Trusted Publishing</issue_title>
<issue_description> any reason you didn't migrate to Trusted Publishing? It can produce digital attestations out of the box now: https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/.

Originally posted by @webknjaz in #4512 (comment)

          We should move to Trusted Publishing at some point, but that's a bit more work, so we'll do it when we do it I suppose. I'd probably accept a PR that does it for us.

Originally posted by @JelleZijlstra in #4512 (comment)

The full guide is @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.

Example of CI/CD setup that uploads individual dists as GHA workflow artifacts in cibuildwheel (and pure-python fallback) jobs with unique artifact names, and then downloads them in the publishing job: https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/ci-cd.yml#L112-L124 + https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/reusable-build-wheel.yml#L93-L100 + https://github.com/aio-libs/yarl/blob/426b7ac/.github/workflows/ci-cd.yml#L553-L558.

Roughly, this is what needs to be done:

  • add uploading artifacts into each job producing them
  • ensure that the artifact names are unique per single workflow run
  • add downloading all of them and merging contents of multiple artifacts into a single dir, into the PyPI upload job
  • Change twine upload to invoking pypi-publish
  • Add OIDC permission to the PyPI job
  • Add an environment called pypi to the job and set up required reviewers for said environment in the repo settings
  • Get somebody with the Owner-level permissions to configure trust on the PyPI side</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@cooperlees
Copy link
Copy Markdown
Collaborator

cooperlees commented Dec 9, 2025

This was an accident

@cooperlees cooperlees closed this Dec 9, 2025
Copilot AI requested a review from cooperlees December 9, 2025 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cooperlees cooperlees Awaiting requested review from cooperlees

Assignees

@cooperlees cooperlees

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Upgrade .github/workflows/pypi_upload.yml to use Trusted Publishing

2 participants

@cooperlees