Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat: Use Trusted Publishers with GitLab CI/CD#411

Draft
matthewfeickert wants to merge 3 commits intoscientific-python:main from
matthewfeickert:feat/use-trusted-publisher-for-gitlab
Draft

feat: Use Trusted Publishers with GitLab CI/CD #411
matthewfeickert wants to merge 3 commits intoscientific-python:main from
matthewfeickert:feat/use-trusted-publisher-for-gitlab

Conversation

@matthewfeickert
Copy link
Member

@matthewfeickert matthewfeickert commented Apr 17, 2024

Comment on lines 155 to 160
# Retrieve the OIDC token from GitLab CI/CD and exchange it for a PyPI API token
- oidc_token=$(python -m id PYPI)
- response=$(curl -X POST "${OIDC_MINT_TOKEN_URL}" -d "{\"token\":\"${oidc_token}\"}")
- api_token=$(jq --raw-output '.token' <<< "${response}")

- pipx run twine upload --password "${api_token}" --verbose dist/*whl dist/*gz
Copy link
Member Author

@matthewfeickert matthewfeickert Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These steps are currently based off of those show in pypi/warehouse#13575 (comment). @kratsg can you please try this PR's changes on one of your CERN GitLab projects to validate them before we request review?

Copy link
Member Author

@matthewfeickert matthewfeickert Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

* PyPI Trusted Publisher support now includes GitLab CI/CD, so use
 generated OIDC tokens to publish to TestPyPI or PyPI as needed in
 GitLab pipelines.
 - c.f. https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from 8a55804 to 14518cf Compare September 17, 2024 22:37
Copy link

Since twine 6.1.0, uploading with Trusted Publishing on GitLab CI/CD is automatically detected, and doesn't need any of the manual steps that were needed before (other than adding the id_tokens section). For example:

publish-job:
 stage: deploy
 image: python:3-bookworm
 id_tokens:
 PYPI_ID_TOKEN:
 aud: pypi
 script:
 - python -m pip install -U twine
 - twine upload python_pkg/dist/*

See the updated docs here: https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /