Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

ci: Migrate release workflow to Trusted Publishing #517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
birdcar wants to merge 3 commits into main
base: main
Choose a base branch
Loading
from birdcar/trusted-publishing

Conversation

@birdcar
Copy link
Contributor

@birdcar birdcar commented Jan 15, 2026
edited
Loading

Description

This PR migrates our PyPI release publishing from API token authentication to Trusted Publishing (OIDC) for improved security.

Additionally, while working on the PR I reviewed the uv example workflow and came to the realization that our previous release strategy merely duplicated the testing strategy from our CI tests (i.e. using pytest in a virtual environment) and not whether or not the package would be importable by clients and that all modules were accessible.

The release workflow now operates in isolated stages:

  1. Build the package
  2. Smoke test against each supported version of Python, failing the release if there's an issue
  3. Upload the package to PyPI via Trusted Publishing token

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

greptile-apps[bot] reacted with thumbs up emoji
@birdcar birdcar self-assigned this Jan 15, 2026
@birdcar birdcar requested a review from a team as a code owner January 15, 2026 14:57
Copy link
Contributor

greptile-apps bot commented Jan 15, 2026

Greptile Summary

This PR successfully migrates the PyPI release workflow from API token authentication to OpenID Connect (OIDC) Trusted Publishing, significantly improving security by eliminating the need for long-lived API tokens. The workflow now operates in three isolated stages: build, comprehensive smoke testing across all supported Python versions (3.8-3.14), and publishing to PyPI.

Key improvements:

  • Security enhancement: Replaced TWINE_PASSWORD secret with OIDC-based Trusted Publishing using id-token: write permission
  • Better testing strategy: Added comprehensive smoke tests that verify the actual package importability and module accessibility rather than just running pytest in the build environment
  • Multi-version validation: Tests both wheel and sdist distributions across all 7 supported Python versions (3.8-3.14) before publishing
  • Proper job isolation: Separated build, test, and publish concerns with artifact passing between stages

The smoke test suite is thorough, covering package imports, version metadata, type markers (py.typed), client instantiation (both sync and async), all module accessibility, core type imports, exception classes, and dependency availability.

Confidence Score: 5/5

  • This PR is safe to merge with no security or functional risks
  • The changes follow industry best practices for PyPI publishing, improve security by eliminating API tokens, add comprehensive pre-release validation across all supported Python versions, and properly implement OIDC Trusted Publishing with correct permissions scoping
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Migrated to Trusted Publishing with OIDC authentication, removed API token usage, added comprehensive smoke testing stage across all Python versions (3.8-3.14) before publishing
tests/smoke_test.py New comprehensive smoke test suite verifying package installation, imports, type markers, client instantiation, module accessibility, and dependency availability across both wheel and sdist distributions

Sequence Diagram

sequenceDiagram
 participant GH as GitHub (Release Event)
 participant Build as Build Job
 participant Artifacts as GitHub Artifacts
 participant Smoke as Smoke Test Job (Matrix 3.8-3.14)
 participant Publish as Publish Job
 participant PyPI as PyPI (OIDC)
 GH->>Build: Trigger on release published
 Build->>Build: Checkout code
 Build->>Build: Install uv
 Build->>Build: uv build (wheel + sdist)
 Build->>Artifacts: Upload dist/ artifacts
 
 Artifacts->>Smoke: Download dist/ artifacts
 Note over Smoke: Runs in parallel for each Python version
 Smoke->>Smoke: Install uv
 Smoke->>Smoke: Test wheel: uv run --isolated --with dist/*.whl
 Smoke->>Smoke: Test sdist: uv run --isolated --with dist/*.tar.gz
 Smoke->>Smoke: Verify imports, types, clients, modules
 
 alt All smoke tests pass
 Artifacts->>Publish: Download dist/ artifacts
 Publish->>Publish: Install uv
 Publish->>PyPI: uv publish (Trusted Publishing OIDC)
 PyPI-->>Publish: Package published
 else Any smoke test fails
 Smoke-->>GH: Workflow fails, no publish
 end
Loading

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@birdcar birdcar force-pushed the birdcar/trusted-publishing branch from dc2081a to 5cf8f99 Compare January 15, 2026 15:52 
- Replace Twine/token-based auth with PyPI Trusted Publishing
- Add smoke tests to verify wheel and sdist before publishing
- Run smoke tests against all supported Python versions (3.8-3.14)
- Use matrix strategy for parallel testing across versions
- Use uv publish for streamlined publishing
Workflow structure:
1. build: Create wheel and sdist artifacts
2. smoke-test: Test on Python 3.8-3.14 in parallel
3. publish: Upload to PyPI after all tests pass
Smoke tests verify:
- Package imports correctly
- Both sync/async clients instantiate
- All module properties accessible
- Core types and exceptions importable
- Dependencies properly bundled
- py.typed marker present
Pass python-version to setup-uv action to ensure the correct
Python version is installed before running smoke tests. Enable
cache-python to speed up subsequent workflow runs.
@birdcar birdcar force-pushed the birdcar/trusted-publishing branch from ad39cd0 to aaf2930 Compare January 15, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gjtorikian gjtorikian Awaiting requested review from gjtorikian

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

AltStyle によって変換されたページ (->オリジナル) /