pythonopenid-connectpypi

PyPI publishing GitHub Action works with token but not trusted provider


This pull request modifies our open source package batfish/docker GitHub actions to use PyPI trusted publishing on Test PyPI instead of a password. I'm talking about the dev_whl step that pushes a development version of the wheel to test.pypi.org/legacy.

All the PR does is remove the password argument and add id-token: write permissions. The trusted publisher is already set up. The publishing action then executes but runs into a 400 error with no information.

Passing run with password: https://github.com/batfish/docker/actions/runs/15381194869/job/43272421321 Failing run with trusted publisher: https://github.com/batfish/docker/actions/runs/15355188206/job/43212884353

I can't think of how to debug this further. Any suggestions?


Solution

  • Looks like this is explicitly not supported by PyPI: https://docs.pypi.org/trusted-publishers/troubleshooting/

    Reusable workflows cannot currently be used as the workflow in a Trusted Publisher. This is a practical limitation, and is being tracked in warehouse#11096.

    Time to refactor our GitHub actions I guess.