Skip to content

[pypi] Switch to PyPI Trusted Publishing #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FindHao wants to merge 1 commit into from
Closed

[pypi] Switch to PyPI Trusted Publishing #219

FindHao wants to merge 1 commit into from

Conversation

@FindHao
Copy link
Member

@FindHao FindHao commented Dec 12, 2025

Summary

This PR migrates the PyPI publishing workflow from API token authentication to Trusted Publishing (OIDC).

Changes

  • Added id-token: write permission for OIDC token generation
  • Removed user and password parameters from the publish step
  • Enabled attestations: true for package provenance

Why

Trusted Publishing provides:

  • No secrets to manage: Eliminates the need for API tokens stored in GitHub Secrets
  • Better security: Uses short-lived OIDC tokens instead of long-lived API tokens
  • Attestations support: Enables cryptographic proof of package provenance

Required Setup

Before merging, configure Trusted Publisher on PyPI:

  1. Go to https://pypi.org/manage/project/tritonparse/settings/publishing/
  2. Add a new publisher with:
    • Owner: meta-pytorch
    • Repository: tritonparse
    • Workflow name: nightly-pypi.yml
    • Environment: (leave empty)

References

Copilot AI review requested due to automatic review settings December 12, 2025 00:27
@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Dec 12, 2025
@meta-codesync
Copy link

meta-codesync bot commented Dec 12, 2025

@FindHao has imported this pull request. If you are a Meta employee, you can view this in D89004848.

Copilot AI reviewed Dec 12, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the PyPI publishing workflow by migrating from legacy API token authentication to PyPI Trusted Publishing using OIDC, eliminating the need for long-lived secrets while improving security through short-lived tokens and cryptographic attestations.

Key Changes:

  • Switched authentication method from API tokens to OIDC-based Trusted Publishing
  • Added id-token: write permission for OIDC token generation
  • Enabled cryptographic attestations for package provenance verification

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@meta-codesync meta-codesync bot closed this in 88b8ed6 Dec 12, 2025
@meta-codesync
Copy link

meta-codesync bot commented Dec 12, 2025

@FindHao merged this pull request in 88b8ed6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot. Merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FindHao @facebook-github-bot