The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI, the tokenless way: https://github.com/marketplace/actions/pypi-publish
Per conversation in https://github.com/python-pillow/Pillow/pull/7616, there's an edge case we can provide a more descriptive error on: if the publishing workflow uses pull_request events and the event comes from a branch on a fork (rather than the upstream repo itself), then GitHub won't grant the id-token: write permission even if it's listed explicitly.
There's no workaround for this (and there can't be, without breaking GitHub's fork security model), but we can at least improve the error message in this case by detecting the following conditions:
When both of these are true, we could render a modified error message, like:
The pull request that triggered this workflow originated from a fork, which means that it doesn't have access to the `id-token: write` permission used by Trusted Publishing.
GitHub does not have a workaround for this. Consider using a different event instead (such as release or tag creation), or restricting this workflow's runs to first-party pull requests.
Per conversation in https://github.com/python-pillow/Pillow/pull/7616, there's an edge case we can provide a more descriptive error on: if the publishing workflow uses
pull_requestevents and the event comes from a branch on a fork (rather than the upstream repo itself), then GitHub won't grant theid-token: writepermission even if it's listed explicitly.There's no workaround for this (and there can't be, without breaking GitHub's fork security model), but we can at least improve the error message in this case by detecting the following conditions:
pull_requestWhen both of these are true, we could render a modified error message, like: