Skip to content

feat: Use Trusted Publishers with GitLab CI/CD#411

Draft
matthewfeickert wants to merge 3 commits intoscientific-python:mainfrom
matthewfeickert:feat/use-trusted-publisher-for-gitlab
Draft

feat: Use Trusted Publishers with GitLab CI/CD#411
matthewfeickert wants to merge 3 commits intoscientific-python:mainfrom
matthewfeickert:feat/use-trusted-publisher-for-gitlab

Conversation

@matthewfeickert
Copy link
Member

@matthewfeickert matthewfeickert commented Apr 17, 2024

matthewfeickert
matthewfeickert commented Apr 17, 2024
View reviewed changes
{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %}
Comment on lines 155 to 160
# Retrieve the OIDC token from GitLab CI/CD and exchange it for a PyPI API token
- oidc_token=$(python -m id PYPI)
- response=$(curl -X POST "${OIDC_MINT_TOKEN_URL}" -d "{\"token\":\"${oidc_token}\"}")
- api_token=$(jq --raw-output '.token' <<< "${response}")

- pipx run twine upload --password "${api_token}" --verbose dist/*whl dist/*gz
Copy link
Member Author

@matthewfeickert matthewfeickert Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These steps are currently based off of those show in pypi/warehouse#13575 (comment). @kratsg can you please try this PR's changes on one of your CERN GitLab projects to validate them before we request review?

Copy link
Member Author

@matthewfeickert matthewfeickert Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah they're actually in the docs now: https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd and https://docs.pypi.org/trusted-publishers/security-model/#gitlab-cicd

@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from ccc0e99 to 553190e Compare April 22, 2024 22:57
@matthewfeickert matthewfeickert mentioned this pull request Apr 23, 2024
Closed
@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from 553190e to 8a55804 Compare April 24, 2024 22:57
@matthewfeickert matthewfeickert mentioned this pull request May 3, 2024
Closed
@matthewfeickert
feat: Use Trusted Publishers with GitLab CI/CD
cdb62ce 
* PyPI Trusted Publisher support now includes GitLab CI/CD, so use
  generated OIDC tokens to publish to TestPyPI or PyPI as needed in
  GitLab pipelines.
   - c.f. https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
@matthewfeickert
Add required id_tokens
d8b6211
@matthewfeickert
feat: Use pipx to run id
14518cf 
* Requires id v1.4.0+
@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from 8a55804 to 14518cf Compare September 17, 2024 22:37
@facutuesca
Copy link

facutuesca commented May 2, 2025

Since twine 6.1.0, uploading with Trusted Publishing on GitLab CI/CD is automatically detected, and doesn't need any of the manual steps that were needed before (other than adding the id_tokens section). For example:

publish-job:
  stage: deploy
  image: python:3-bookworm
  id_tokens:
    PYPI_ID_TOKEN:
      aud: pypi
  script:
    - python -m pip install -U twine
    - twine upload python_pkg/dist/*

See the updated docs here: https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewfeickert @facutuesca