ci: switch PyPI publish workflow to Trusted Publishing#3296
ci: switch PyPI publish workflow to Trusted Publishing#3296adityasingh2400 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4a9f059168
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Replace the rye PYPI_TOKEN env with the pypa/gh-action-pypi-publish action and id-token: write permissions, so the workflow uploads via PyPI Trusted Publishing rather than a long-lived token. Other steps in publish-pypi.yml are unchanged. After merge, the PyPI project will need a Trusted Publisher binding pointing at openai/openai-python and the publish-pypi.yml workflow name. Closes openai#3273.
4a9f059 to
041f5bb
Compare
|
Added |
|
Closing this as superseded. PR #3365 landed Trusted Publishing on main with a stronger setup than this PR had: the build job runs without OIDC permissions and a separate upload only publish job carries id-token write, with both jobs guarded to the main branch of this repo. That covers everything #3273 asked for, so this PR is no longer needed. |
Closes #3273.
Replace the rye PYPI_TOKEN environment variable with the pypa/gh-action-pypi-publish action and id-token: write permissions, so the workflow uploads via PyPI Trusted Publishing rather than a long-lived token. Other steps in publish-pypi.yml are unchanged.
After merge, the PyPI project will need a Trusted Publisher binding pointing at openai/openai-python and the publish-pypi.yml workflow name; happy to leave the action shape alone if maintainers prefer to set that up first.