Bug: PyPI release workflow fails with invalid-publisher
The Publish to PyPI GitHub Actions workflow is currently configured to use PyPI Trusted Publishing, but release publishes fail during the OIDC token exchange.
Evidence
Latest release run:
Failure excerpt:
Trusted publishing exchange failure:
Token request failed: the server refused the request for the following reasons:
* `invalid-publisher`: valid token, but no corresponding publisher (Publisher with matching claims was not found)
GitHub/PyPI claims emitted by the action:
repository: santoshray02/csv-editor
repository_owner: santoshray02
workflow_ref: santoshray02/csv-editor/.github/workflows/publish.yml@refs/tags/v2.0.0
job_workflow_ref: santoshray02/csv-editor/.github/workflows/publish.yml@refs/tags/v2.0.0
ref: refs/tags/v2.0.0
environment: MISSING
The package also does not currently resolve on PyPI:
https://pypi.org/pypi/csv-editor/json -> 404
Root cause
The workflow has the required id-token: write permission, but PyPI does not appear to have a matching Trusted Publisher / pending publisher configured for this repository and workflow, or the configured publisher differs from the claims above.
PyPI’s troubleshooting docs say invalid-publisher means the OIDC token is valid but does not match any known publisher, usually due to a mismatch in repository owner, repository name, workflow filename, or environment.
Recommended fix
Configure a PyPI pending publisher / trusted publisher for:
- PyPI project name:
csv-editor
- GitHub owner:
santoshray02
- GitHub repository:
csv-editor
- Workflow filename:
publish.yml
- Environment: either leave blank to match the current workflow, or preferably update the workflow to use a named environment like
pypi and configure PyPI with pypi.
If TestPyPI publishing via workflow_dispatch should work too, configure a separate TestPyPI trusted publisher as well.
Suggested workflow hardening
It would be clearer to split the workflow into:
- A build job that uploads
dist/* as an artifact.
- A
publish-testpypi job for manual dispatch using environment testpypi.
- A
publish-pypi job for GitHub releases using environment pypi.
That makes the PyPI trusted-publisher environment claim explicit instead of MISSING.
Related issue noticed
.github/workflows/publish-github.yml is named “Publish to GitHub Packages”, but it uploads to https://upload.pypi.org/legacy/. That is separate from the PyPI Trusted Publishing failure, but it likely explains why the GitHub Packages release workflow fails too.
Bug: PyPI release workflow fails with
invalid-publisherThe
Publish to PyPIGitHub Actions workflow is currently configured to use PyPI Trusted Publishing, but release publishes fail during the OIDC token exchange.Evidence
Latest release run:
Publish to PyPIv2.0.0Publish to PyPIstepFailure excerpt:
GitHub/PyPI claims emitted by the action:
The package also does not currently resolve on PyPI:
Root cause
The workflow has the required
id-token: writepermission, but PyPI does not appear to have a matching Trusted Publisher / pending publisher configured for this repository and workflow, or the configured publisher differs from the claims above.PyPI’s troubleshooting docs say
invalid-publishermeans the OIDC token is valid but does not match any known publisher, usually due to a mismatch in repository owner, repository name, workflow filename, or environment.Recommended fix
Configure a PyPI pending publisher / trusted publisher for:
csv-editorsantoshray02csv-editorpublish.ymlpypiand configure PyPI withpypi.If TestPyPI publishing via
workflow_dispatchshould work too, configure a separate TestPyPI trusted publisher as well.Suggested workflow hardening
It would be clearer to split the workflow into:
dist/*as an artifact.publish-testpypijob for manual dispatch using environmenttestpypi.publish-pypijob for GitHub releases using environmentpypi.That makes the PyPI trusted-publisher environment claim explicit instead of
MISSING.Related issue noticed
.github/workflows/publish-github.ymlis named “Publish to GitHub Packages”, but it uploads tohttps://upload.pypi.org/legacy/. That is separate from the PyPI Trusted Publishing failure, but it likely explains why the GitHub Packages release workflow fails too.