| title | Configuring OpenID Connect in PyPI | ||||
|---|---|---|---|---|---|
| shortTitle | OIDC in PyPI | ||||
| intro | Use OpenID Connect within your workflows to authenticate with PyPI. | ||||
| versions |
|
||||
| redirect_from |
|
||||
| contentType | how-tos | ||||
| category |
|
OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with PyPI to publish Python packages.
This guide gives an overview of how to configure PyPI to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in the pypa/gh-action-pypi-publish action to publish packages to PyPI (or other Python package repositories) without any manual API token management.
{% data reusables.actions.oidc-link-to-intro %}
{% data reusables.actions.oidc-security-notice %}
{% data reusables.actions.oidc-on-ghecom %}
To use OIDC with PyPI, add a trust configuration that links each project on PyPI to each repository and workflow combination that's allowed to publish for it.
-
Sign in to PyPI and navigate to the trusted publishing settings for the project you'd like to configure. For a project named
myproject, this will be athttps://pypi.org/manage/project/myproject/settings/publishing/. -
Configure a trust relationship between the PyPI project and a {% data variables.product.prodname_dotcom %} repository (and workflow within the repository). For example, if your {% data variables.product.prodname_dotcom %} repository is at
myorg/myprojectand your release workflow is defined inrelease.ymlwith an environment ofrelease, you should use the following settings for your trusted publisher on PyPI.[!NOTE] Enter these values carefully. Giving the incorrect user, repository, or workflow the ability to publish to your PyPI project is equivalent to sharing an API token.
- Owner:
myorg - Repository name:
myproject - Workflow name:
release.yml - (Optionally) a {% data variables.product.prodname_actions %} environment name:
release
- Owner:
Once your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.
{% data reusables.actions.oidc-deployment-protection-rules %}
The pypa/gh-action-pypi-publish action has built-in support for trusted publishing, which can be enabled by giving its containing job the id-token: write permission and omitting username and password.
The following example uses the pypa/gh-action-pypi-publish action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.
{% data reusables.actions.actions-not-certified-by-github-comment %}
jobs:
release-build:
runs-on: ubuntu-latest
steps:
- uses: {% data reusables.actions.action-checkout %}
- uses: {% data reusables.actions.action-setup-python %}
with:
python-version: "3.x"
- name: build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: upload windows dists
uses: {% data reusables.actions.action-upload-artifact %}
with:
name: release-dists
path: dist/
pypi-publish:
runs-on: ubuntu-latest
needs:
- release-build
permissions:
id-token: write
steps:
- name: Retrieve release distributions
uses: {% data reusables.actions.action-download-artifact %}
with:
name: release-dists
path: dist/
- name: Publish release distributions to PyPI
uses: pypa/gh-action-pypi-publish@3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f