Skip to content

Commit b9bf37f

Browse files
RobLe3claude
andcommitted
[ci] publish.yml — switch from OIDC trusted publishing to API token
Why: Run #26500551525 reached the publish step (tests now pass after test_serve.py quarantine in iter f89ecec) but failed with 'invalid-publisher: valid token, but no corresponding publisher'. PyPI trusted publishing requires a trusted-publisher rule on the PyPI project side matching the workflow's OIDC claims (repository, workflow_ref, environment) — that rule hasn't been configured. Switching to API token auth (PYPI_API_TOKEN secret set on the repo 2026-05-27 from deploy/.credentials/pypi_credentials.sh). Trusted publishing remains the preferred long-term path; comment in workflow documents the migration trigger. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent f89ecec commit b9bf37f

1 file changed

Lines changed: 8 additions & 4 deletions

File tree

.github/workflows/publish.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -76,8 +76,12 @@ jobs:
7676
run: pip install build --quiet
7777
- name: Build sdist and wheel
7878
run: python -m build
79-
- name: Publish to PyPI (trusted publishing)
79+
- name: Publish to PyPI (API token)
8080
uses: pypa/gh-action-pypi-publish@release/v1
81-
# Falls back to API token if OIDC trusted publishing is not configured:
82-
# with:
83-
# password: ${{ secrets.PYPI_API_TOKEN }}
81+
# API token auth — OIDC trusted publishing is not yet configured on
82+
# the PyPI project side (would need a trusted-publisher rule matching
83+
# workflow_ref=publish.yml@refs/tags/v0.5.x + environment=pypi).
84+
# When the trusted publisher is configured, remove the `with:` block
85+
# and uncomment `id-token: write` to fall back to OIDC.
86+
with:
87+
password: ${{ secrets.PYPI_API_TOKEN }}

0 commit comments

Comments
 (0)