ci: gate release pypi-publish behind PYPI_TRUSTED_PUBLISHER var#64
Merged
Conversation
… cleanly until OIDC configured) The pypi-publish job exchanges an OIDC token for a PyPI upload token. With no Trusted Publisher configured, that exchange fails -> red CI on every published Release, which blocks attaching Sigstore-signed bundles to Releases for versions already published by token (1.0.0, 1.0.1). Gate pypi-publish behind the repo variable PYPI_TRUSTED_PUBLISHER == 'true' so it is SKIPPED cleanly (gray, not red) until OIDC publishing is explicitly enabled, while build + sign still run so signed bundles attach. Add skip-existing: true to both pypa/gh-action-pypi-publish steps so re-running a Release for an already published version no-ops on the duplicate instead of failing. sign remains needs: build. SHA pins + version comments unchanged. RELEASING.md documents the gate variable and how to enable it after configuring the Trusted Publisher.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Gate the
pypi-publishjob in.github/workflows/release.ymlso it skips cleanly (gray, not red) until OIDC Trusted Publishing is explicitly enabled. This unblocks attaching Sigstore-signed bundles to GitHub Releases for versions already published to PyPI by token (1.0.0,1.0.1), where the OIDC Trusted Publisher is not yet configured.Why
On
release: published,pypi-publishmints an OIDC token and exchanges it for a PyPI upload token. With no Trusted Publisher configured, that exchange fails closed → red CI on every Release. That red failure makes it impossible to cut a GitHub Release for the already-token-published1.0.0/1.0.1to attach.sigstorebundles, even thoughbuild+signwould otherwise succeed.Changes (surgical)
Gate
pypi-publish— foldedvars.PYPI_TRUSTED_PUBLISHER == 'true'into the job-levelif:(AND-ed with the existing event-type guard). When the variable is unset / not'true', the job is SKIPPED (gray), not red.skip-existing: trueadded to bothpypa/gh-action-pypi-publishsteps (production PyPI + TestPyPI) — so even once OIDC is enabled, re-running a Release for an already-published version no-ops on the duplicate instead of failing.signstillneeds: build(verified — never depended onpypi-publish), so on any published Release it builds + Sigstore-signs + attaches.sigstorebundles regardless of the publish gate.No SHA pins changed — all
uses:remain pinned to a 40-char SHA with a# vX.Y.Zcomment (tests/test_workflow_pins.py: 70 passed).permissions:scoping unchanged.RELEASING.mddocuments thePYPI_TRUSTED_PUBLISHERgate and how to enable OIDC publishing after configuring the Trusted Publisher (gh variable set PYPI_TRUSTED_PUBLISHER --body true).Net effect
PYPI_TRUSTED_PUBLISHER=true(after OIDC setup)Verification
yamllint -d relaxed .github/workflows/release.yml— clean (exit 0; only pre-existing line-length warnings)..venv: 511 passed, 1 skipped, incl.tests/test_workflow_pins.py(70 passed).