Skip to content

fix(ci): publish via uv to avoid OIDC token expiry#251

Merged
pratyush618 merged 1 commit into
masterfrom
fix/publish-workflow-overhaul
Jun 12, 2026
Merged

fix(ci): publish via uv to avoid OIDC token expiry#251
pratyush618 merged 1 commit into
masterfrom
fix/publish-workflow-overhaul

Conversation

@pratyush618

@pratyush618 pratyush618 commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Disable sigstore attestations in pypi-publish step
  • OIDC token expires (~5min TTL) before signing completes with 21 artifacts (~10s each)
  • sigstore.oidc.ExpiredIdentity crashed publish before any upload

Test plan

  • Rerun publish: gh workflow run publish.yml -f version=0.16.1

Summary by CodeRabbit

  • Chores
    • Updated PyPI publishing workflow: replaced the previous publish mechanism with a new publish step that sets up and runs the updated publisher, and adjusted publishing conditions and flags to control artifact upload and trusted publishing behavior.

@github-actions github-actions Bot added the ci label Jun 12, 2026
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The publish workflow's PyPI job now installs/sets up uv and runs uv publish --trusted-publishing always dist/* instead of using the pypa/gh-action-pypi-publish action, preserving existing conditionals for skipping publish when appropriate.

Changes

Publish workflow: uv publish

Layer / File(s) Summary
Replace action with uv publish
.github/workflows/publish.yml
Adds a Set up uv step and replaces the pypa/gh-action-pypi-publish action with uv publish --trusted-publishing always dist/*, retaining the existing all_uploaded and !inputs.dry-run conditions and removing the previous action-specific options.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • ByteVeda/taskito#248: Modifies .github/workflows/publish.yml's PyPI publish job and related publish-step refactoring.
  • ByteVeda/taskito#241: Also adjusts the publish workflow and gating around existing-artifact checks.
  • ByteVeda/taskito#243: Related changes to publishing logic and validation around dist/* artifacts.

Poem

🐰 I hopped into CI with a grin,
I set up uv, then pushed the spin,
No action call, a CLI hum,
Dist files fly—publish, come! 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The PR title states 'publish via uv to avoid OIDC token expiry' but the PR objectives indicate the actual change is disabling sigstore attestations to avoid OIDC expiry. The raw_summary shows the change is replacing pypa/gh-action-pypi-publish with uv, which is related but the title's framing of why (to avoid OIDC expiry via uv) doesn't align with the stated objective of disabling attestations. Clarify whether the primary fix is switching to uv or disabling attestations, and ensure the title accurately reflects the main change.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/publish-workflow-overhaul

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Line 347: The workflow currently disables attestations via the manifest key
attestations: false which weakens supply-chain guarantees; try alternatives
first: publish in batches (split the 21 artifacts and call the publish step
multiple times with fresh OIDC tokens), pre-compute/generate attestations in a
prior job if supported, reduce target wheel count, or add retry logic around the
publish step using the existing skip-existing: true to resume after OIDC expiry;
if none are feasible, add a clear comment immediately above the attestations:
false line documenting the operational constraint (OIDC token expiry), the
evaluated alternatives, and an explicit risk acceptance statement.
- Line 347: The workflow currently sets attestations: false which disables PEP
740 build provenance; update the publish workflow to document this decision and
add mitigation steps: replace the plain setting with an inline comment
explaining why attestations are disabled, add a TODO to re-enable them with a
mitigation plan (e.g., split the publish job into per-package jobs or smaller
batches, refresh/renew OIDC tokens, or adopt a signing step that can complete
before token expiry), and create a short checklist entry (in the repo README or
CONTRIBUTING) referencing the workflow symbol attestations so maintainers know
to revisit and re-enable attestations when the chosen mitigation (job-splitting
or token handling) is implemented.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f762157-e829-45af-b96b-20502ffca7ac

📥 Commits

Reviewing files that changed from the base of the PR and between 41f18ce and 193ee4f.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml

Comment thread .github/workflows/publish.yml Outdated
gh-action-pypi-publish signs each artifact with Sigstore, exhausting the
~5min OIDC token before all 21 wheels upload (ExpiredIdentity). uv publish
exchanges the token once and uploads without per-file signing.
@pratyush618
pratyush618 force-pushed the fix/publish-workflow-overhaul branch from 193ee4f to bd2dfff Compare June 12, 2026 03:39
@pratyush618 pratyush618 changed the title fix(ci): disable attestations to avoid OIDC expiry fix(ci): publish via uv to avoid OIDC token expiry Jun 12, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
.github/workflows/publish.yml (1)

341-343: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin action version and uv binary to match CI workflow.

The setup-uv configuration differs from .github/workflows/ci.yml which uses astral-sh/setup-uv@v8.1.0 with version: "0.10.12". This workflow uses @v7 without a version pin, creating two issues:

  1. Version mismatch: v7 vs v8.1.0 could cause different behavior between CI and publish.
  2. Missing uv version: Without version, different uv releases may be used, risking publish inconsistencies.
  3. Unpinned action: No commit hash pin (flagged by static analysis).
🔧 Suggested fix to align with CI
       - name: Set up uv
         if: steps.pypi-check.outputs.all_uploaded != 'true' && !inputs.dry-run
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@v8.1.0
+        with:
+          version: "0.10.12"

For full supply-chain hardening, consider pinning to a commit hash as done with actions/checkout.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 341 - 343, The publish workflow
uses astral-sh/setup-uv@v7 without a version field, causing a mismatch with the
CI workflow (which uses astral-sh/setup-uv@v8.1.0 and version "0.10.12") and
leaving the uv binary unpinned; update the publish job to use the same action
reference and binary version as CI (use astral-sh/setup-uv@v8.1.0 and add
version: "0.10.12") and for supply-chain hardening consider pinning the action
to a specific commit hash (similar to actions/checkout) to avoid drift and
ensure consistent publish behavior.

Source: Linters/SAST tools

🧹 Nitpick comments (1)
.github/workflows/publish.yml (1)

345-347: 💤 Low value

Command syntax is correct; attestation tradeoff remains.

The uv publish --trusted-publishing always dist/* command correctly uses PyPI's OIDC-based trusted publishing (the required id-token: write permission is declared at line 277). This sidesteps the OIDC token expiry issue since uv doesn't perform sigstore attestation signing.

Note: As discussed in prior review iterations, this approach removes PEP 740 attestations from published artifacts. The tradeoff is documented in the PR description, but consider adding a brief inline comment for future maintainers explaining why uv publish was chosen over the attestation-capable action.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 345 - 347, Add a brief inline
comment above the Publish to PyPI step explaining why we use the `uv publish
--trusted-publishing always dist/*` command (it uses OIDC trusted publishing and
avoids OIDC token expiry issues) and that this deliberately forgoes PEP
740/sigstore attestations; reference that the workflow has the `id-token: write`
permission configured for OIDC and note the tradeoff for future maintainers so
they understand why `uv publish` was chosen over an attestation-capable action.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/publish.yml:
- Around line 341-343: The publish workflow uses astral-sh/setup-uv@v7 without a
version field, causing a mismatch with the CI workflow (which uses
astral-sh/setup-uv@v8.1.0 and version "0.10.12") and leaving the uv binary
unpinned; update the publish job to use the same action reference and binary
version as CI (use astral-sh/setup-uv@v8.1.0 and add version: "0.10.12") and for
supply-chain hardening consider pinning the action to a specific commit hash
(similar to actions/checkout) to avoid drift and ensure consistent publish
behavior.

---

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 345-347: Add a brief inline comment above the Publish to PyPI step
explaining why we use the `uv publish --trusted-publishing always dist/*`
command (it uses OIDC trusted publishing and avoids OIDC token expiry issues)
and that this deliberately forgoes PEP 740/sigstore attestations; reference that
the workflow has the `id-token: write` permission configured for OIDC and note
the tradeoff for future maintainers so they understand why `uv publish` was
chosen over an attestation-capable action.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e822ed6-8f95-42eb-8708-dd5464621496

📥 Commits

Reviewing files that changed from the base of the PR and between 193ee4f and bd2dfff.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml

@pratyush618
pratyush618 merged commit 43836ec into master Jun 12, 2026
18 checks passed
@pratyush618
pratyush618 deleted the fix/publish-workflow-overhaul branch June 12, 2026 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant