Publish to PyPI from a github workflow by declaring the workflow to be trusted

[consideRatio]

In this PyPI blog post we learn about a new feature that makes us no longer need to setup PyPI projects with maintainer rights to jupyterhub-bot account and then generate a scoped deployment token. Instead, we can just declare a github project's workflow to be trusted, add permissions.id-token: write, and finally use the pypa/gh-action-pypi-publish action.

To me, this sounds great! I intend to pilot use of this in jupyterhub/tmpauthenticator

jobs:
   pypi-publish:
     name: upload release to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
       # retrieve your distributions here

       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          username: __token__
-          password: ${{ secrets.PYPI_TOKEN }}

Related

• https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
• https://docs.pypi.org/trusted-publishers/

[manics]

Sounds good to me. It's using OIDC, which is the same process that GitHub workflows use to authenticate with public cloud providers with a temporary token instead of using fixed secret credentials. When we're migrating existing workflows we should also delete the original tokens from PyPI.