Publish to PyPI via OIDC

[Josverl]

How can I publish using PyPI trusted publishers / OIDC ?

I tried using a separate action to get a token, that runs without a problem ,
but publishing still fails on auth with HTTP Error 403: Invalid or non-existent authentication information.

name: Python package to pypi via OIDC
on:
  push:
    tags:
      - "v*.*.*-*"
      - "v*.*.*"
  workflow_dispatch:
jobs:
  publish_pypi:
    runs-on: ubuntu-latest
    # environment: release    
    permissions:
      # IMPORTANT: this permission is mandatory for trusted publishing
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v3

      - name: Mint token
        id: mint
        uses: tschm/token-mint-action@v1.0.2

      - name: Build and publish to pypi
        uses: JRubics/poetry-publish@v1.16
        with:
          pypi_token: "${{ steps.mint.outputs.api-token }}"

accoding to the pypi docs the username is supposed to be "token", but I cannot find how to make this work with this action

          repository_username: "__token__"
          repository_password: "${{ steps.mint.outputs.api-token }}"

also fails

logs >

[JRubics]

Honestly, I don't know if there are some boundaries when using OIDC. Maybe try wikh the suggested action: pypi-publish

[Josverl]

hmm, I adopted poetry just because I did not want to keep a shack full of different tools up-to date for different steps in the same process. and I think its quite achievable

The simple for of the question is : is it possible to configure this action to use the poetry arguments

  -u, --username=USERNAME        The username to access the repository. < this will be "__token__"
  -p, --password=PASSWORD        The password to access the repository. < this will be "${{ steps.mint.outputs.api-token }}"

and assuming so , and how to I provide the values to that ?

I tried using the pypi_token: parameter for your action - but that does not appear to be used for the --password value , or the --username is set to a different value than __token__

I tried to follow though/reverse engineer the actions's logic, but I get lost

[JRubics]

Ok, I think I see what was the issue with your first try with repository_username and repository_password.

It was the right approach, but adding username and password also requires adding the repository name and url. Check here. I assume your action fails, because you don't provided the repository information and it is expected. Please try to specify all the four values:

• repository_name
• repository_url
• repository_username
• repository_password

Please share your results when you try this :relaxed:

[JRubics]

Did it solve your issue?

[JRubics]

Hey @Josverl :) I checked OIDC a bit deeper, and here are my findings:

• what I said in the previous message was not right, you can't just pass repository_username and repository_password for OIDC to work
• it's currently not supported by this action and won't be for some period. Reasons:
  1. it's only supported by default github action: https://github.com/marketplace/actions/pypi-publish
  2. if you want to implement it manually, you need to etrieve an OIDC token from the OIDC identity provider, submit that token to PyPI, which will return a short-lived API key and use it as API key. In the docs, this way is strongly discouraged.
• instead of this, I'd recommend using the normal token instead if you don't want to use the action suggested in the docs

Check the details here: https://docs.pypi.org/trusted-publishers/using-a-publisher/ under The manual way section. Closing this issue since there won't be any development regarding it until pypi releases another (and recommended) way of using OIDC as a third party.