From 49ee47d737d51139a35c48198f6be03b28fcc32a Mon Sep 17 00:00:00 2001 From: Kevin Smith Date: Mon, 26 Jan 2026 15:38:25 -0600 Subject: [PATCH] Update publish workflow to use PyPI trusted publishing Replace twine-based PyPI publishing with OIDC-based trusted publishing using the pypa/gh-action-pypi-publish GitHub Action. Changes: - Add permissions block with id-token: write for OIDC - Add environment block referencing the 'publish' environment - Remove twine installation step - Replace twine upload with gh-action-pypi-publish action Co-Authored-By: Claude Opus 4.5 --- .github/workflows/publish.yml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7dac7f55..fe684d0c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -156,12 +156,16 @@ jobs: runs-on: ubuntu-latest - steps: - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install twine==6.0.1 + permissions: + id-token: write # Required for OIDC trusted publishing + actions: read # Required for actions/download-artifact + contents: read # Required for repository access + environment: + name: publish + url: https://pypi.org/p/singlestoredb + + steps: - name: Download Linux wheels and sdist uses: actions/download-artifact@v4 with: @@ -180,14 +184,9 @@ jobs: name: artifacts-macOS path: dist - - name: Publish PyPI package + - name: Publish to PyPI if: ${{ github.event_name == 'release' || github.event.inputs.publish_pypi == 'true' }} - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: "${{ secrets.PYPI_TOKEN }}" - run: | - ls ./dist/* - twine upload ./dist/* + uses: pypa/gh-action-pypi-publish@release/v1 # - name: Publish Conda package # if: ${{ github.event_name == 'release' || github.event.inputs.publish_anaconda == 'true' }}