ci: add PyPI Trusted Publishing workflow#7
Open
MHoroszowski wants to merge 1 commit intomasterfrom
Open
Conversation
Adds .github/workflows/publish.yml so future releases publish to PyPI
automatically when a GitHub Release is published, using PyPI's OIDC
Trusted Publishing instead of a long-lived API token stored as a repo
secret.
Workflow:
- build job: checkout, build sdist+wheel, twine check, upload as
workflow artifact.
- publish-pypi job: downloads the artifact and uploads to PyPI via
pypa/gh-action-pypi-publish, gated on the `pypi` environment with
id-token write permission for OIDC.
One-time setup required on PyPI side (cannot be done from this repo):
1. https://pypi.org/manage/project/python-pptx-extended/settings/publishing/
2. Add a GitHub publisher with:
owner: MHoroszowski
repository: python-pptx
workflow: publish.yml
environment: pypi
3. (Recommended) Create a `pypi` environment in repo Settings →
Environments with branch protection requiring tag-based deploys.
Triggering a release after setup:
- Cut a GitHub Release pointing at a vX.Y.Z tag — this fires the
workflow on `release: published`.
- workflow_dispatch is also wired for manual re-runs / overrides.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build(sdist + wheel +twine check, uploaded as a workflow artifact) →publish-pypi(downloads artifact, publishes via pypa/gh-action-pypi-publish withid-token: writeand thepypienvironment).One-time setup required on PyPI (cannot be done from this repo)
After this PR merges, configure the Trusted Publisher so the workflow can actually upload:
python-pptx-extendedMHoroszowskipython-pptxpublish.ymlpypipypiand add a deployment branch/tag rule restricting deploys to tags matchingv*. Second line of defense in case workflow logic is ever changed in a PR.After setup, the local
~/.pypircPyPI API token used for the manual 1.1.0 upload can be revoked at https://pypi.org/manage/account/token/ — Trusted Publishing replaces it.How releases will work after merge
vX.Y.Zand push the tag.gh release create vX.Y.Z).publishworkflow runs onrelease: published, builds, and uploads to PyPI.workflow_dispatchis also wired for manual re-runs.Test plan
pypienvironment in repo Settings (optional but recommended)Related
release/v1.1.0branch.🤖 Generated with Claude Code