Trusted publishing (with attestations means I have high confidence that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing.
See the Python packaging documentation, the PyPI documentation, and the official pypi-publish GitHub action documentation on trusted publishing.
Implementation (click to expand)
- Configure (or use an existing) GitHub environment and add to PyPI
- Remove
user and password arguments in the "Publish to PyPI" step of the pypi job of the deploy CI workflow
- Add the environment definition to the same
pypi job
- Add
id-token: write and contents: read permissions to the same pypi job
- Optionally remove the
PYPI_PASSWORD project secret
Trusted publishing (with attestations means I have high confidence that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing.
See the Python packaging documentation, the PyPI documentation, and the official pypi-publish GitHub action documentation on trusted publishing.
Implementation (click to expand)
userandpasswordarguments in the "Publish to PyPI" step of thepypijob of the deploy CI workflowpypijobid-token: writeandcontents: readpermissions to the samepypijobPYPI_PASSWORDproject secret