This pull request modifies our open source package batfish/docker GitHub actions to use PyPI trusted publishing on Test PyPI instead of a password. I'm talking about the dev_whl step that pushes a development version of the wheel to test.pypi.org/legacy.
All the PR does is remove the password argument and add id-token: write permissions. The trusted publisher is already set up. The publishing action then executes but runs into a 400 error with no information.
Passing run with password: https://github.com/batfish/docker/actions/runs/15381194869/job/43272421321 Failing run with trusted publisher: https://github.com/batfish/docker/actions/runs/15355188206/job/43212884353
I can't think of how to debug this further. Any suggestions?
Looks like this is explicitly not supported by PyPI: https://docs.pypi.org/trusted-publishers/troubleshooting/
Reusable workflows cannot currently be used as the workflow in a Trusted Publisher. This is a practical limitation, and is being tracked in warehouse#11096.
Time to refactor our GitHub actions I guess.