Trusted Publisher support for PyPI

[ravenexp]

Recently, PyPI has introduced a new authorization method called "Trusted publishing", which is based on OpenID Connect (OIDC).

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

I wonder if it makes sense to support it in Maturin directly, or it is better to delegate it to maturin-action. I don't know if PyPI is ever going to support other OIDC identity providers besides GitHub.

Technical details: https://docs.pypi.org/trusted-publishers/using-a-publisher/

[messense]

I'd love to have this, pull requests are welcome!

I wonder if it makes sense to support it in Maturin directly, or it is better to delegate it to maturin-action.

I have the same question, but I think it's fine to implement it directly in maturin if it isn't hard and doesn't add too heavy dependencies.

[ravenexp]

From the cursory look we only need ureq and serde_json to implement this feature. Maturin already depends on those crates. Writing a working test for this will probably be more difficult than the implementation itself, since this feature is only supposed to work when run in the GitHub Actions environment.

I'll give it a try this weekend, but I'm not sure I'll be able to finish the PR in such short time.

[messense]

Yeah, I think it's hard to write a working test, perhaps we can just test it manually. I can take over and also try to verify that it's actually working if you can't finish it.

[wiktor-k]

Sorry to bump this old ticket but I see everything is merged but how to actually use it? (I have checked the docs).

Running maturin generate-ci github still gives a config that uses PYPI_API_TOKEN:

...
  release:
    name: Release
    runs-on: ubuntu-latest
    if: "startsWith(github.ref, 'refs/tags/')"
    needs: [linux, windows, macos, sdist]
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: wheels
      - name: Publish to PyPI
        uses: PyO3/maturin-action@v1
        env:
          MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
        with:
          command: upload
          args: --non-interactive --skip-existing *

(maturin --version is 1.2.3) while the docs at https://docs.pypi.org/trusted-publishers/using-a-publisher/ use pypa/gh-action-pypi-publish action and require some additional permissions.

Not sure if this is something that will just automatically work out of the box if the workflow is authorized in https://pypi.org/manage/project/X/settings/publishing/ ?

Once again, sorry for asking but things like that are hard to test without doing the actual release of the package.

Thanks for your time! 👋

[messense]

@wiktor-k Just remove the env: MATURIN_PYPI_TOKEN part and setup trusted publisher in pypi should work.

It'd print 🔐 Using trusted publisher for upload when working.

[wiktor-k]

Thank you very much! 🙇

[nleroy917]

Hi!

I ended up here since I am also trying to publish using the trusted publishers workflow. I removed my env variable like was suggested above, but I still get the following error:

💥 maturin failed
  Caused by: Credentials not found and non-interactive mode is enabled

I have a very similar workflow file to the above. Any help would be appreciated!

Update: I had to add two things to the maturin upload step:

1. Permissions:

permissions:
  id-token: write

2. Environment name:

environment: release

So now it looks like this:

release:
    name: Release
    runs-on: ubuntu-latest
    environment: release
    permissions:
      id-token: write
    if: "startsWith(github.ref, 'refs/tags/')"
    needs: [linux, windows, macos, sdist]
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: wheels
          path: ./bindings/python/dist
      - name: Publish to PyPI
        uses: PyO3/maturin-action@v1
        with:
          command: upload
          args: --non-interactive --skip-existing ./bindings/python/dist/*