➕ Apply the new property of Python uploading authentication and add one new parameter about PyPI tokens if it needs.

Author: Chisanan232

.github/workflows/rw_python_package.yaml

@@ -33,6 +33,18 @@ on:
         required: false
         default: 'python-package'
         type: string
+      auth-method:
+        description: 'Authentication method: oidc or token'
+        required: false
+        default: 'oidc'
+        type: string
+    secrets:
+      PYPI_API_TOKEN:
+        description: 'PyPI API token (only required if auth-method is token)'
+        required: false
+      TEST_PYPI_API_TOKEN:
+        description: 'Test PyPI API token (only required if auth-method is token for TestPyPI)'
+        required: false
 
     outputs:
       build-success:
@@ -119,24 +131,43 @@ jobs:
           path: dist/
           retention-days: 30
 
-      - name: Publish to PyPI
-        if: inputs.operation == 'publish-pypi'
-        run: |
-          echo "🚀 Publishing to PyPI..."
-          uv publish
-          echo "✅ Published to PyPI successfully"
+      - name: Setup PyPI OIDC Authentication
+        if: contains(fromJSON('["publish-pypi", "publish-testpypi"]'), inputs.operation) && inputs.auth-method == 'oidc'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true
+          verify-metadata: true
+          packages-dir: dist/
+          repository-url: ${{ inputs.operation == 'publish-testpypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }}
 
-      - name: Publish to TestPyPI
-        if: inputs.operation == 'publish-testpypi'
+      - name: Setup PyPI Token Authentication
+        if: contains(fromJSON('["publish-pypi", "publish-testpypi"]'), inputs.operation) && inputs.auth-method == 'token'
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ inputs.operation == 'publish-pypi' && secrets.PYPI_API_TOKEN || secrets.TEST_PYPI_API_TOKEN }}
+          TWINE_REPOSITORY_URL: ${{ inputs.operation == 'publish-testpypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }}
         run: |
-          echo "🚀 Publishing to TestPyPI..."
-          uv publish --publish-url https://test.pypi.org/legacy/
-          echo "✅ Published to TestPyPI successfully"
+          echo "🔑 Using PyPI token authentication..."
+          
+          # Verify token is available
+          if [ -z "$TWINE_PASSWORD" ]; then
+            echo "❌ Error: PyPI API token not found in secrets"
+            echo "Please ensure ${{ inputs.operation == 'publish-pypi' && 'PYPI_API_TOKEN' || 'TEST_PYPI_API_TOKEN' }} is set in repository secrets"
+            exit 1
+          fi
+          
+          echo "🚀 Publishing to ${{ inputs.operation == 'publish-pypi' && 'PyPI' || 'TestPyPI' }} using token authentication..."
+          uv publish ${{ inputs.operation == 'publish-testpypi' && '--publish-url https://test.pypi.org/legacy/' || '' }}
+          echo "✅ Published to ${{ inputs.operation == 'publish-pypi' && 'PyPI' || 'TestPyPI' }} successfully"
 
       - name: Operation summary
         run: |
           echo "## Python Package Operation Summary" >> $GITHUB_STEP_SUMMARY
           echo "- **Operation**: ${{ inputs.operation }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Python**: ${{ inputs.python-version }}" >> $GITHUB_STEP_SUMMARY
+          if [[ "${{ inputs.operation }}" == "publish-pypi" || "${{ inputs.operation }}" == "publish-testpypi" ]]; then
+            echo "- **Auth Method**: ${{ inputs.auth-method == 'oidc' && '🔒 OIDC (Trusted Publisher)' || '🔑 API Token' }}" >> $GITHUB_STEP_SUMMARY
+            echo "- **Repository**: ${{ inputs.operation == 'publish-pypi' && 'PyPI (production)' || 'TestPyPI (staging)' }}" >> $GITHUB_STEP_SUMMARY
+          fi
           echo "- **Status**: ✅ Completed successfully" >> $GITHUB_STEP_SUMMARY

.github/workflows/rw_release_complete.yaml

@@ -32,10 +32,16 @@ on:
         type: string
     secrets:
       DOCKERHUB_USERNAME:
-        description: 'Docker Hub username'
+        description: 'DockerHub username'
         required: false
       DOCKERHUB_TOKEN:
-        description: 'Docker Hub token'
+        description: 'DockerHub access token'
+        required: false
+      PYPI_API_TOKEN:
+        description: 'PyPI API token (required for token-based authentication)'
+        required: false
+      TEST_PYPI_API_TOKEN:
+        description: 'Test PyPI API token (required for token-based authentication)'
         required: false
     outputs:
       version:
@@ -365,6 +371,10 @@ jobs:
       version: ${{ needs.bump_version.outputs.version }}
       checkout-sha: ${{ needs.bump_version.outputs.new_sha }}
       artifact-name: 'python-package-production'
+      auth-method: ${{ needs.config.outputs.python_auth_method }}
+    secrets:
+      PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+      TEST_PYPI_API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}
 
   release_docker_hub:
     name: Release to DockerHub

.github/workflows/rw_release_staging_complete.yaml

@@ -15,7 +15,13 @@ on:
         description: 'Docker Hub username'
         required: false
       DOCKERHUB_TOKEN:
-        description: 'Docker Hub token'
+        description: 'Docker Hub access token'
+        required: false
+      PYPI_API_TOKEN:
+        description: 'PyPI API token (required for token-based authentication)'
+        required: false
+      TEST_PYPI_API_TOKEN:
+        description: 'Test PyPI API token (required for token-based authentication)'
         required: false
     outputs:
       version:
@@ -107,6 +113,10 @@ jobs:
       version: ${{ needs.compute-version.outputs.version }}
       checkout-sha: ${{ github.sha }}
       artifact-name: 'staging-python-package'
+      auth-method: ${{ needs.config.outputs.python_auth_method }}
+    secrets:
+      PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+      TEST_PYPI_API_TOKEN: ${{ secrets.TEST_PYPI_API_TOKEN }}
 
   dockerhub-rc:
     name: Staging Release to DockerHub