This document explains how to configure PyPI publishing for the mao package using GitHub Actions and trusted publishing.
The mao package has NEVER been released to PyPI! This PR updates the workflow to use trusted publishing and provides instructions for creating the first v0.1.0 release.
- A PyPI account at https://pypi.org
- Admin access to the GitHub repository
PyPI's trusted publishing eliminates the need for API tokens by using OpenID Connect (OIDC) to verify that the package is being published from the correct GitHub repository.
- Go to https://pypi.org and log in
- Navigate to your account settings
- Go to "Publishing" section
- Click "Add a new pending publisher"
- Fill in the details:
- PyPI Project Name:
mao-agents - Owner:
agentic-dev-io - Repository name:
mao - Workflow name:
publish.yml - Environment name: (leave empty)
- PyPI Project Name:
- Click "Add"
Note: For the first publish, you need to create the project as a "pending publisher" before the package exists on PyPI.
Once trusted publishing is configured, create the first release:
- Verify the version in
pyproject.tomlis set to0.1.0 - Go to https://github.com/agentic-dev-io/mao/releases/new
- Click "Choose a tag" and create a new tag:
v0.1.0 - Set the release title: "mao v0.1.0 - Initial Release"
- Add release notes describing the package features:
# mao v0.1.0 - Initial Release First public release of MCP Agent Orchestra - A modern framework for orchestrating AI agents. ## Features - FastAPI-based agent orchestration - Support for multiple LLM providers (OpenAI, Anthropic, Ollama) - LangChain and LangGraph integration - DuckDB-based vector storage (no external services needed) - DuckDB for data management - Docker support
- Click "Publish release"
The GitHub Action will automatically:
- Build the package
- Run quality checks
- Publish to PyPI using trusted publishing
For future releases:
- Update the version in
pyproject.toml(e.g.,0.2.0) - Commit the change
- Create a new GitHub release with the matching tag (e.g.,
v0.2.0)
You can also trigger publishing manually without creating a release:
- Go to https://github.com/agentic-dev-io/mao/actions/workflows/publish.yml
- Click "Run workflow"
- Select the branch to publish from
- Optionally specify a version override
- Click "Run workflow"
After publishing, verify your package at:
Install it using:
pip install mao-agentsThis PR updates the publishing workflow to use trusted publishing:
- Removed API token requirement (more secure!)
- Changed trigger from
createdtopublished(GitHub best practice) - Reduced timeout from 30 to 15 minutes (more appropriate for Python packages)
- Updated documentation to reflect trusted publishing setup
If you previously had PYPI_API_TOKEN in GitHub secrets, you can now:
- Delete the secret (it's no longer needed)
- Follow the trusted publishing setup above
- Trusted publishing is more secure and doesn't require token management
If the first publish fails with "project does not exist", make sure you:
- Created the pending publisher on PyPI first
- Used the exact workflow filename (
publish.yml) - The repository owner and name match exactly
If you get permission errors:
- Verify the trusted publisher is configured correctly on PyPI
- Ensure the workflow has
id-token: writepermissions (already configured) - Check that the repository owner matches the PyPI project owner
The package version is defined in pyproject.toml:
[project]
name = "mao"
version = "0.1.0"Before creating a new release:
- Update the version in
pyproject.toml - Commit the change
- Create a new release with a matching tag (e.g.,
v0.2.0)
Trusted publishing is more secure than API tokens because:
- No long-lived credentials stored in GitHub secrets
- Automatic verification of publisher identity
- Per-repository and per-workflow restrictions
- Automatic token rotation