Skip to content

Switch PyPi to OIDC authentication #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 12, 2025
Merged

Switch PyPi to OIDC authentication #146

merged 1 commit into from
Nov 12, 2025

Conversation

@codingjoe
Copy link
Owner

@codingjoe codingjoe commented Nov 12, 2025

No description provided.

Copilot AI review requested due to automatic review settings November 12, 2025 12:08
@codingjoe codingjoe self-assigned this Nov 12, 2025
Copilot finished reviewing on behalf of codingjoe November 12, 2025 12:09
Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modernizes the PyPI publishing workflow by switching from password-based authentication to OIDC (OpenID Connect) trusted publishing, which is a more secure and maintainable approach.

Key changes:

  • Split the workflow into two jobs: release-build (builds artifacts) and pypi-publish (publishes to PyPI)
  • Replaced manual twine upload with the official pypa/gh-action-pypi-publish action
  • Added OIDC permissions (id-token: write) for secure authentication

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
- uses: actions/upload-artifact@v5
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mismatched artifact action versions. The workflow uses actions/upload-artifact@v5 for uploading but actions/download-artifact@v6 for downloading. These should use matching major versions to ensure compatibility. Either use @v5 for both or @v6 for both.

Suggested change
- uses: actions/upload-artifact@v5
- uses: actions/upload-artifact@v6

Copilot uses AI. Check for mistakes.
.github/workflows/release.yml
name: Release
on:
release:
types: [published]
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The addition of workflow_dispatch trigger enables manual workflow execution, but there's no documentation or comment explaining why this trigger was added or when it should be used. Consider adding a comment to clarify the intended use case for manual triggering.

Suggested change
types: [published]
types: [published]
# Allows maintainers to manually trigger the release workflow if an automated release event fails or a release needs to be published outside the normal process.

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Nov 12, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.76%. Comparing base (bec3e74) to head (2b29bb0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #146      +/-   ##
==========================================
+ Coverage   97.63%   97.76%   +0.12%     
==========================================
  Files          17       17              
  Lines         805      805              
==========================================
+ Hits          786      787       +1     
+ Misses         19       18       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@codingjoe codingjoe merged commit b323762 into main Nov 12, 2025
20 checks passed
@codingjoe codingjoe deleted the release branch November 12, 2025 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@codingjoe codingjoe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codingjoe