Overview
OpenID Connect (OIDC) allows your GitHub Actions workflows to authenticate with PyPI to publish Python packages.
This guide gives an overview of how to configure PyPI to trust GitHub's OIDC as a federated identity, and demonstrates how to use this configuration in the pypa/gh-action-pypi-publish action to publish packages to PyPI (or other Python package repositories) without any manual API token management.
Prerequisites
-
若要了解 GitHub 如何使用 OpenID Connect (OIDC) 及其体系结构和优势的基本概念,请参阅“关于使用 OpenID Connect 进行安全强化”。
-
在继续之前,必须规划安全策略,以确保仅以可预测的方式分配访问令牌。 要控制云提供商颁发访问令牌的方式,必须至少定义一个条件,以便不受信任的存储库无法为云资源请求访问令牌。 有关详细信息,请参阅“关于使用 OpenID Connect 进行安全强化”。
Adding the identity provider to PyPI
To use OIDC with PyPI, add a trust configuration that links each project on PyPI to each repository and workflow combination that's allowed to publish for it.
-
Sign in to PyPI and navigate to the trusted publishing settings for the project you'd like to configure. For a project named
myproject, this will be athttps://pypi.org/manage/project/myproject/settings/publishing/. -
Configure a trust relationship between the PyPI project and a GitHub repository (and workflow within the repository). For example, if your GitHub repository is at
myorg/myprojectand your release workflow is defined inrelease.ymlwith an environment ofrelease, you should use the following settings for your trusted publisher on PyPI.注意
Enter these values carefully. Giving the incorrect user, repository, or workflow the ability to publish to your PyPI project is equivalent to sharing an API token.
- Owner:
myorg - Repository name:
myproject - Workflow name:
release.yml - (Optionally) a GitHub Actions environment name:
release
- Owner:
Updating your GitHub Actions workflow
Once your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.
注意
在工作流或 OIDC 策略中使用环境时,建议将保护规则添加到环境中以提高安全性。 例如,可以在环境中配置部署规则,以限制可以部署到环境或访问环境机密的分支和标记。 有关详细信息,请参阅“Managing environments for deployment”。
The pypa/gh-action-pypi-publish action has built-in support for trusted publishing, which can be enabled by giving its containing job the id-token: write permission and omitting username and password.
The following example uses the pypa/gh-action-pypi-publish action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.
jobs:
release-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: upload windows dists
uses: actions/upload-artifact@v4
with:
name: release-dists
path: dist/
pypi-publish:
runs-on: ubuntu-latest
needs:
- release-build
permissions:
id-token: write
steps:
- name: Retrieve release distributions
uses: actions/download-artifact@v4
with:
name: release-dists
path: dist/
- name: Publish release distributions to PyPI
uses: pypa/gh-action-pypi-publish@3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f
jobs:
release-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: build release distributions
run: |
# NOTE: put your own distribution build steps here.
python -m pip install build
python -m build
- name: upload windows dists
uses: actions/upload-artifact@v4
with:
name: release-dists
path: dist/
pypi-publish:
runs-on: ubuntu-latest
needs:
- release-build
permissions:
id-token: write
steps:
- name: Retrieve release distributions
uses: actions/download-artifact@v4
with:
name: release-dists
path: dist/
- name: Publish release distributions to PyPI
uses: pypa/gh-action-pypi-publish@3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f