Update release workflow to use PyPI's trusted publisher support.#400
Merged
Merged
Conversation
…ithub; add more recent python versions to wheel build
tgregg
approved these changes
Jan 15, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available: n/a
Description of changes:
Prior to this PR the release workflow would build our wheels and upload them to S3, where a code pipeline would upload them to PyPI. Last year, PyPI removed the ability to upload wheels using user/pass for auth, and required either an API key, or configuring a Trusted Publisher.
This PR updates the release workflow to use PyPI's trusted publisher via Github. Rather than uploading the wheels to S3, and uploading them via the code pipeline with a secret key, we've configured our PyPI project to trust Github's OIDC provider. In our workflow we can request a token from Github (via the
pypa/gh-action-pypi-publishaction) which will be signed with Github's key, and verified by PyPI. The token contains claims containing the repo and workflow that is attempting to authenticate. Our PyPI project is configured to only allow theamazon-ion/ion-pythonrepo andrelease.ymlworkflow, to push new wheels. By using this method, we do not have to store any secrets for our PyPI account, and can simplify our release process.In addition to this change, I've addressed some
actionlintwarnings regarding shell quoting, and added python 3.12 and 3.13 to the versions cibuildwheel will build for.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.