Skip to content

pypi: use trusted publishing for binary wheels #6543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 14, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions .github/workflows/ci-wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ jobs:
needs: test-wheel
name: "publish to test.pypi"
runs-on: ubuntu-latest
permissions:
id-token: write # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
environment: test-pypi

# upload to Test PyPI for every commit on main branch
# and check for the SciTools repo
if: github.event_name == 'push' && github.event.ref == 'refs/heads/main' && github.repository_owner == 'SciTools'
Expand All @@ -138,18 +142,20 @@ jobs:
name: pypi-artifacts
path: ${{ github.workspace }}/dist

- uses: pypa/gh-action-pypi-publish@release/v1
- uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
with:
user: __token__
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
repository_url: https://test.pypi.org/legacy/
skip_existing: true
print_hash: true
repository-url: https://test.pypi.org/legacy/
skip-existing: true
print-hash: true

publish-artifacts-pypi:
needs: test-wheel
name: "publish to pypi"
runs-on: ubuntu-latest
permissions:
id-token: write # Mandatory for PyPI Trusted Publishing OpenID Connect (OIDC)
environment: pypi

# upload to PyPI for every tag starting with 'v'
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v') && github.repository_owner == 'SciTools'
steps:
Expand All @@ -158,8 +164,6 @@ jobs:
name: pypi-artifacts
path: ${{ github.workspace }}/dist

- uses: pypa/gh-action-pypi-publish@release/v1
- uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
print_hash: true
print-hash: true
7 changes: 7 additions & 0 deletions docs/src/whatsnew/latest.rst
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,11 @@ This document explains the changes made to Iris for this release
benchmark data generation, showing developers the root problem at-a-glance
without needing local replication. (:pull:`6524`)

#. `@bjlittle`_ added support for `Trusted Publishing`_ of source distributions
and binary wheels to PyPI and Test PyPI. (:pull:`6543`)




.. comment
Whatsnew author names (@github name) in alphabetical order. Note that,
Expand All @@ -154,3 +159,5 @@ This document explains the changes made to Iris for this release

.. comment
Whatsnew resources in alphabetical order:

.. _Trusted Publishing: https://docs.pypi.org/trusted-publishers/
Loading