feat: Trusted Publishing to PyPI (#1706)

mrgrain · web-flow · commit 40ff5cee5bd2 · 2025-08-08T14:08:09.000Z
diff --git a/README.md b/README.md
@@ -125,7 +125,7 @@ The server type is selected using the `MAVEN_SERVER_ID` variable.
 | `ossrh` (deprecated) | `MAVEN_STAGING_PROFILE_ID`                                            | Yes               | Central Publisher (sonatype) staging profile ID, corresponding to namespace (e.g. `com.sonatype.software`).                                                                                                                                                                                                                                                               |
 | `ossrh` (deprecated) | `MAVEN_ENDPOINT`                                                      | No                | URL of Nexus repository. Defaults to `https://central.sonatype.com`.                                                                                                                                                                                                                                                                                                      |
 
-**How to create a GPG key**
+### How to create a GPG key
 
 Install [GnuPG](https://gnupg.org/).
 
@@ -214,11 +214,31 @@ npx publib-pypi [DIR]
 
 **Options (environment variables):**
 
-| Option                 | Required | Description                                                    |
-| ---------------------- | -------- | -------------------------------------------------------------- |
-| `TWINE_USERNAME`       | Required | PyPI username ([register](https://pypi.org/account/register/)) |
-| `TWINE_PASSWORD`       | Required | PyPI password                                                  |
-| `TWINE_REPOSITORY_URL` | Optional | The registry URL (defaults to Twine default)                   |
+| Option                      | Required | Description                                                                                                                                                                        |
+| --------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `TWINE_USERNAME`            | Optional | PyPI username ([register](https://pypi.org/account/register/)). Not required when using Trusted Publishers.                                                                        |
+| `TWINE_PASSWORD`            | Optional | PyPI password or API token. Not required when using Trusted Publishers.                                                                                                            |
+| `TWINE_REPOSITORY`          | Optional | The repository to upload the package to. Defaults to `pypi`, set `testpypi` to publish to the testing index.                                                                       |
+| `TWINE_REPOSITORY_URL`      | Optional | A custom repository URL, overrides `TWINE_REPOSITORY`.                                                                                                                             |
+| `PYPI_TRUSTED_PUBLISHER`    | Optional | Set to any value to use PyPI [Trusted Publisher](https://docs.pypi.org/trusted-publishers/) authentication (OIDC). Requires a supported ambient identity (i.e. CI/CD environment). |
+| `PYPI_DISABLE_ATTESTATIONS` | Optional | Set to any value to disable [PyPI attestations](https://docs.pypi.org/attestations/producing-attestations/) (enabled by default with Trusted Publishers).                          |
+
+### Trusted Publishers and Attestations
+
+PyPI [Trusted Publishers](https://docs.pypi.org/trusted-publishers/) allows publishing without API tokens by using OpenID Connect (OIDC) authentication between a trusted third-party service and PyPI.
+Typically these are CI/CD providers like GitHub Actions or Gitlab CI/CD.
+PyPI attestations provide cryptographic proof of package provenance and integrity and are **enabled by default when using Trusted Publishers**. Attestations are only available when using Trusted Publisher authentication.
+
+**Trusted Publisher Setup:**
+
+1. Configure your PyPI project to use a [Trusted Publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/)
+2. Set `PYPI_TRUSTED_PUBLISHER=1` in your workflow environment
+3. No `TWINE_USERNAME` or `TWINE_PASSWORD` needed
+
+**Requirements:**
+
+* **GitHub Actions**: Your workflow must have `id-token: write` permission.
+* **Gitlab CI/CD**: The keyword `id_tokens` is used to request an OIDC token from GitLab with name `PYPI_ID_TOKEN` and audience `pypi`.
 
 ## Golang
 
diff --git a/bin/publib-pypi b/bin/publib-pypi
@@ -9,27 +9,74 @@ set -euo pipefail
 #
 # DIR is where *.whl files are looked up (default is "dist/python")
 #
-# TWINE_USERNAME (required)
-# TWINE_PASSWORD (required)
+# TWINE_USERNAME (optional, ignored when using Trusted Publishers)
+# TWINE_PASSWORD (optional, ignored when using Trusted Publishers)
+# PYPI_TRUSTED_PUBLISHER (optional) - set to any value to use Trusted Publisher authentication
+# PYPI_DISABLE_ATTESTATIONS (optional) - set to any value to disable attestations
 #
 ###
 
 cd "${1:-"dist/python"}"
 
-[ -z "${TWINE_USERNAME:-}" ] && {
-  echo "Missing TWINE_USERNAME"
-  exit 1
-}
-
-[ -z "${TWINE_PASSWORD:-}" ] && {
-  echo "Missing TWINE_PASSWORD"
-  exit 1
-}
-
 if [ -z "$(ls *.whl)" ]; then
   echo "cannot find any .whl files in $PWD"
   exit 1
 fi
 
-python3 -m pip install --user --upgrade twine
-python3 -m twine upload --verbose --skip-existing *
+# Validate credentials before installing packages
+if [ -z "${PYPI_TRUSTED_PUBLISHER:-}" ]; then
+  [ -z "${TWINE_USERNAME:-}" ] && {
+    echo "Missing TWINE_USERNAME (required when not using Trusted Publishers)"
+    exit 1
+  }
+  
+  [ -z "${TWINE_PASSWORD:-}" ] && {
+    echo "Missing TWINE_PASSWORD (required when not using Trusted Publishers)"
+    exit 1
+  }
+fi
+
+# Install required packages
+packages="twine"
+if [ -n "${PYPI_TRUSTED_PUBLISHER:-}" ]; then
+  packages="$packages id"
+fi
+if [ -z "${PYPI_DISABLE_ATTESTATIONS:-}" ]; then
+  packages="$packages pypi-attestations"
+fi
+python3 -m pip install --user --upgrade $packages
+
+# Check for Trusted Publisher
+if [ -n "${PYPI_TRUSTED_PUBLISHER:-}" ]; then
+  echo "Using PyPI Trusted Publisher authentication"
+  
+  # Determine audience based on repository
+  audience="pypi"
+  mint_url="https://pypi.org/_/oidc/mint-token"
+  if [ "${TWINE_REPOSITORY:-}" = "testpypi" ]; then
+    audience="testpypi"
+    mint_url="https://test.pypi.org/_/oidc/mint-token"
+  fi
+  
+  # Generate OIDC token and mint API token
+  oidc_token=$(python3 -m id "$audience")
+  resp=$(curl -s -X POST "$mint_url" -d "{\"token\": \"${oidc_token}\"}")
+  api_token=$(jq -r '.token' <<< "${resp}")
+  
+  export TWINE_USERNAME="__token__"
+  export TWINE_PASSWORD="$api_token"
+fi
+
+if [ -z "${PYPI_DISABLE_ATTESTATIONS:-}" ]; then
+  echo "Signing packages with pypi-attestations"
+  python3 -m pypi_attestations sign *
+fi
+
+# Build upload command with optional attestations
+upload_opts="--verbose --skip-existing"
+if [ -z "${PYPI_DISABLE_ATTESTATIONS:-}" ]; then
+  upload_opts="$upload_opts --attestations"
+fi
+
+echo "Uploading packages to PyPI"
+python3 -m twine upload $upload_opts *
