75f3cce197
Co-authored-by: isaacmbrown <isaacmbrown@github.com> Co-authored-by: Hector Alfaro <hectorsector@github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Christopher Nguyen <91625426+nguyen-dows@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Andrew Eisenberg <aeisenberg@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: David Staheli <1767415+davidstaheli@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: sunbrye <sunbrye@github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Jules Porter <jules-p@users.noreply.github.com> Co-authored-by: Devraj Mehta <devm33@github.com> Co-authored-by: Kate Studwell <katestud@github.com> Co-authored-by: Katherine Oelsner <49968061+octokatherine@users.noreply.github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: Tim Rogers <me@timrogers.co.uk> Co-authored-by: Arfon Smith <arfon@users.noreply.github.com>
4.0 KiB
title, shortTitle, intro, versions, type, topics, redirect_from
| title | shortTitle | intro | versions | type | topics | redirect_from | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring OpenID Connect in PyPI | OpenID Connect in PyPI | Use OpenID Connect within your workflows to authenticate with PyPI. |
|
tutorial |
|
|
Overview
OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with PyPI to publish Python packages.
This guide gives an overview of how to configure PyPI to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in the pypa/gh-action-pypi-publish action to publish packages to PyPI (or other Python package repositories) without any manual API token management.
Prerequisites
{% data reusables.actions.oidc-link-to-intro %}
{% data reusables.actions.oidc-security-notice %}
{% data reusables.actions.oidc-on-ghecom %}
Adding the identity provider to PyPI
To use OIDC with PyPI, add a trust configuration that links each project on PyPI to each repository and workflow combination that's allowed to publish for it.
-
Sign in to PyPI and navigate to the trusted publishing settings for the project you'd like to configure. For a project named
myproject, this will be athttps://pypi.org/manage/project/myproject/settings/publishing/. -
Configure a trust relationship between the PyPI project and a {% data variables.product.prodname_dotcom %} repository (and workflow within the repository). For example, if your {% data variables.product.prodname_dotcom %} repository is at
myorg/myprojectand your release workflow is defined inrelease.ymlwith an environment ofrelease, you should use the following settings for your trusted publisher on PyPI.{% note %}
Note: Enter these values carefully. Giving the incorrect user, repository, or workflow the ability to publish to your PyPI project is equivalent to sharing an API token.
{% endnote %}
- Owner:
myorg - Repository name:
myproject - Workflow name:
release.yml - (Optionally) a {% data variables.product.prodname_actions %} environment name:
release
- Owner:
Updating your {% data variables.product.prodname_actions %} workflow
Once your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.
{% data reusables.actions.oidc-deployment-protection-rules %}
The pypa/gh-action-pypi-publish action has built-in support for trusted publishing, which can be enabled by giving its containing job the id-token: write permission and omitting username and password.
The following example uses the pypa/gh-action-pypi-publish action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.
jobs:
release-build:
runs-on: ubuntu-latest
steps:
- uses: {% data reusables.actions.action-checkout %}
- uses: {% data reusables.actions.action-setup-python %}
with:
python-version: "3.x"
- name: build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: upload windows dists
uses: {% data reusables.actions.action-upload-artifact %}
with:
name: release-dists
path: dist/
pypi-publish:
runs-on: ubuntu-latest
needs:
- release-build
permissions:
id-token: write
steps:
- name: Retrieve release distributions
uses: {% data reusables.actions.action-download-artifact %}
with:
name: release-dists
path: dist/
- name: Publish release distributions to PyPI
uses: pypa/gh-action-pypi-publish@3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f