Creates an api token for trusted publishing in pypi.
"Trusted publishing" is a term for using the OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a trusted third-party service and PyPI. This method can be used in automated environments and eliminates the need to use username/password combinations or manually generated API tokens to authenticate with PyPI when publishing.
For a quickstart, see:
OpenID Connect (OIDC) publishing is a mechanism for uploading packages to PyPI, complementing existing methods (username/password combinations, API tokens).
Certain CI services (like GitHub Actions) are OIDC identity providers, meaning that they can issue short-lived credentials ("OIDC tokens") that a third party can strongly verify came from the CI service (as well as which user, repository, etc. actually executed); Projects on PyPI can be configured to trust a particular configuration on a particular CI service, making that configuration an OIDC publisher for that project; Release automation (like GitHub Actions) can submit an OIDC token to PyPI. The token will be matched against configurations trusted by different projects; if any projects trust the token's configuration, then PyPI will mint a short-lived API token for those projects and return it; The short-lived API token behaves exactly like a normal project-scoped API token, except that it's only valid for 15 minutes from time of creation (enough time for the CI to use it to upload packages). This confers significant usability and security advantages when compared to PyPI's traditional authentication methods:
The idea of this action is to provide a mint hiding the OIDC key exchange from the user. The user has to configure PyPI to trust the aforementioned configuration but otherwise gets an API token which can be used to publish on PyPI (e.g. via poetry).
The action assumes that it's being run in a GitHub Actions workflow runner with the following permissions:
permissions:
id-token: write
contents: read
Those permissions are critical; without it, GitHub Actions will refuse to give you an OIDC token.
Permissions are discussed here.
Input | Required | Default | Description |
---|---|---|---|
audience |
false |
pypi |
Audience |
Output | Description |
---|---|
api-token |
API token |
All our experiments have been performed with the pyhrp package relying on poetry.
Using the new action the release.yml file is:
name: Upload Python Package
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]'
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
# This permission is required for trusted publishing.
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install Poetry
uses: snok/install-poetry@v1
with:
virtualenvs-create: false
- name: Update version (kept at 0.0.0) in pyproject.toml and build
run: |
poetry version ${{ github.ref_name }}
poetry build
- name: Mint token
id: mint
uses: tschm/token-mint-action@v1.0.3
- name: Publish the package with poetry
run: |
poetry publish -u __token__ -p '${{ steps.mint.outputs.api-token }}'
The creation of an API token rarely fails for two reasons:
Contributions are always welcome; submit a PR!
The PyPI token mint action is licensed under an Apache license. See the LICENSE file for details.