Skip to content

Migrate PyPI publishing to OIDC trusted publishers#52

Open
robbykap wants to merge 3 commits intomasterfrom
migrate-pypi-oidc
Open

Migrate PyPI publishing to OIDC trusted publishers#52
robbykap wants to merge 3 commits intomasterfrom
migrate-pypi-oidc

Conversation

@robbykap
Copy link
Copy Markdown

@robbykap robbykap commented Apr 1, 2026

Summary

Migrate from pypi_user/pypi_password secrets to PyPI OIDC trusted publishers, as required by the updated poetry_publish.yaml reusable workflow in BYU-CS-Course-Ops/utils#7.

Changes

  • Added permissions: id-token: write at workflow level (required for OIDC token issuance)
  • Removed pypi_user and pypi_password from secrets block
  • Removed stale pull_request trigger (the push trigger already covers merged PRs)

Before merging

  1. Configure a trusted publisher on pypi.org:
    • Go to byu-pytest-utils package → Manage → Publishing → Add GitHub Actions publisher
    • Owner: BYU-CS-Course-Ops
    • Repository: byu_pytest_utils
    • Workflow name: poetry_publish.yaml
    • Environment: leave blank
  2. Merge BYU-CS-Course-Ops/utils#7 first — this PR depends on the updated reusable workflow

After merging

  • The PYPI_USER and PYPI_PASSWORD repository secrets can be removed from GitHub Settings

🤖 Generated with Claude Code

@robbykap
Migrate PyPI publishing to OIDC trusted publishers
90f6ca6 
Replace pypi_user/pypi_password secrets with OIDC trusted publisher
authentication. Add permissions: id-token: write at workflow level
as required by the reusable workflow in BYU-CS-Course-Ops/utils.

See: BYU-CS-Course-Ops/utils#7
@robbykap robbykap mentioned this pull request Apr 1, 2026
Closed
9 tasks
robbykap added 2 commits April 1, 2026 11:00
@robbykap
Disable auto-trigger until OIDC trusted publisher is configured
59a1ea7 
The push trigger is temporarily removed to prevent failed workflow
runs on merge. Re-enable it after:
1. BYU-CS-Course-Ops/utils#7 is merged
2. A trusted publisher is configured on pypi.org for this repo
@robbykap
[skip ci] Revert to push trigger for poetry_publish.yaml
375ba42
@ecdye
Copy link
Copy Markdown
Member

ecdye commented Apr 1, 2026

I don't believe this will work because of the Enterprise account (CES) we are under. The OIDC minting url is different and PyPi doesn't support that. I tried on code_recorder_processor and couldn't get it to work.

@robbykap robbykap mentioned this pull request Apr 1, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robbykap @ecdye