Skip to content

feat: migrate to OIDC trusted publishing#22

Merged
visubique merged 2 commits into
mainfrom
tom/OSS-508-trusted-pypi-publishing
May 15, 2026
Merged

feat: migrate to OIDC trusted publishing#22
visubique merged 2 commits into
mainfrom
tom/OSS-508-trusted-pypi-publishing

Conversation

@visubique

Copy link
Copy Markdown
Contributor

Same migration as ossprey-python-client: stops inlining release logic, switches to OIDC, collapses the separate test-release workflow into a checkbox on the main one.

Changes

  • Replace inlined release steps in release.yml with uses: ossprey/cicd/python-release@v2.
  • Add a test boolean workflow_dispatch input.
  • Add job-level environment: pypi and permissions: id-token: write.
  • Remove top-level permissions block.
  • Delete test-release.yml — the test checkbox in release.yml replaces it.
  • Keep Slack failure notifier.

Required before merge: PR in cicd merged + tagged v2; PyPI/TestPyPI trusted publishers registered for ossbom; GitHub Environment pypi created in repo settings.

@osspreyqa

osspreyqa Bot commented May 14, 2026

Copy link
Copy Markdown

SBOM submitted! Check the Ossprey platform: https://dashboard.ossprey.com/asset/?id=ossprey%2Fossbom

@visubique visubique changed the title feat: migrated to OIDC trusted publishing feat: migrate to OIDC trusted publishing May 14, 2026
@osspreyqa

osspreyqa Bot commented May 14, 2026

Copy link
Copy Markdown

Warning! Potential malware in this PR. Please review the vulnerability report.

andyantrim
andyantrim previously approved these changes May 14, 2026
dreadn0ught
dreadn0ught previously approved these changes May 14, 2026
Comment thread .github/workflows/release.yml Outdated
- name: Checkout code
uses: actions/checkout@v4
- name: Run python-release
uses: ossprey/cicd/python-release@v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andyantrim I'm assuming this is what motivated pypa/gh-action-pypi-publish#406?

Tip

TL;DR — always build in a separate job that does not have OIDC privileges.
Only perform upload to PyPI in the job with OIDC. Otherwise, you're letting your build backend (and its transitive dep tree) impersonate you, not just against PyPI but anything else that may gain transitive trust to the repo in the future.

@visubique visubique dismissed stale reviews from dreadn0ught and andyantrim via 8faf3d8 May 15, 2026 15:27
@osspreyqa

osspreyqa Bot commented May 15, 2026

Copy link
Copy Markdown

SBOM submitted! Check the Ossprey platform: https://dashboard.ossprey.com/asset/?id=ossprey%2Fossbom

@osspreyqa

osspreyqa Bot commented May 15, 2026

Copy link
Copy Markdown

Warning! Potential malware in this PR. Please review the vulnerability report.

@visubique visubique merged commit 5b87021 into main May 15, 2026
3 of 4 checks passed
@visubique visubique deleted the tom/OSS-508-trusted-pypi-publishing branch May 15, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants