Skip to content

Switch PyPI release workflow to trusted publishing (PEP 740)#360

Open
DeconBear wants to merge 1 commit intoqutip:masterfrom
DeconBear:fix/issue-358-pep740-trusted-publish
Open

Switch PyPI release workflow to trusted publishing (PEP 740)#360
DeconBear wants to merge 1 commit intoqutip:masterfrom
DeconBear:fix/issue-358-pep740-trusted-publish

Conversation

@DeconBear
Copy link
Copy Markdown
Contributor

@DeconBear DeconBear commented Mar 26, 2026

This PR updates the release workflow to use PyPI trusted publishing (OIDC) instead of long-lived API tokens.

Changes:

  • Add id-token: write permission to the deploy job.
  • Replace twine upload with pypa/gh-action-pypi-publish@release/v1.
  • Collect wheel/sdist artifacts into dist/ and publish from there.
  • Keep existing manual confirmation and non-dev-version checks.

Refs: qutip/qutip#2868

@DeconBear DeconBear mentioned this pull request Mar 26, 2026
Open
@BoxiLi
Copy link
Copy Markdown
Member

BoxiLi commented Mar 27, 2026

Sorry, this needs to be discussed among the admin maintainers first, and I don't think this script will work by itself because something must be done with PyPI by the project admins.

@Mayank447
Copy link
Copy Markdown
Member

Mayank447 commented Apr 17, 2026

I don't think this script will work by itself because something must be done with PyPI by the project admins.

This is correct, for reference: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DeconBear @BoxiLi @Mayank447