ci(release): TestPyPI via Trusted Publishing (OIDC), drop TEST_PYPI_TOKEN#295
Merged
Conversation
…OKEN The TestPyPI step authenticated with a long-lived TEST_PYPI_TOKEN secret that is invalid/stale — every release logged `403 Invalid or non-existent authentication information` from test.pypi.org (non-fatal only because the job is continue-on-error). The prod PyPI token can't be reused: TestPyPI is a separate index with separate accounts. Switch the TestPyPI publish to PyPI Trusted Publishing (OIDC) via pypa/gh-action-pypi-publish, pinned to v1.14.0. The job now requests `id-token: write` and mints a short-lived, repo+environment-scoped token per run — no secret to leak, expire, or rotate. `skip-existing: true` tolerates re-runs; the step stays continue-on-error so a TestPyPI hiccup never blocks the prod publish. One-time setup required on test.pypi.org (Account → Publishing → add a pending publisher): owner=oracle-samples, repo=locus, workflow=_release.yml, environment=testpypi. The prod PyPI publish job is unchanged (still token-based) and can migrate to OIDC as a follow-up once its trusted publisher is registered on pypi.org. Signed-off-by: Federico Kamelhar <federico.kamelhar@oracle.com>
oracle-contributor-agreement
Bot
added
the
OCA Verified
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every release logged this from the
test-pypi-publishjob:It was only non-fatal because the job is
continue-on-error. Root cause: theTEST_PYPI_TOKENsecret is invalid/stale, and the prodPYPI_TOKENcan't be reused —TestPyPI is a separate index with separate accounts/tokens.
Fix — Trusted Publishing (OIDC)
Best practice per PyPA/PyPI: stop using long-lived tokens. The TestPyPI step now uses
pypa/gh-action-pypi-publish(pinned tov1.14.0/cef221092ed1bacb1cc03d23a2d87d1d172e277b) with OIDC:id-token: write→ a short-lived token scoped to repo +testpypienvironment is minted per run; nothing to leak, expire, or rotate
skip-existing: truetolerates re-runs over an already-uploaded versioncontinue-on-errorso a TestPyPI hiccup never blocks the prod publishTEST_PYPI_TOKENsecret is no longer referenced (safe to delete from thetestpypienvironment)
Before the next release, register a Trusted Publisher (Account → Publishing → "Add a
pending publisher"):
locus-sdkoracle-sampleslocus_release.ymltestpypiUntil that's added, the step will still fail — but harmlessly (continue-on-error), exactly
as today.
Scope
Production PyPI publish is unchanged (still token-based and working). It can migrate to
OIDC as a follow-up once its trusted publisher is registered on pypi.org — deliberately not
done here to avoid any risk to a working release path.