HTTPError: 403 Forbidden or invalid-publisher: a valid token is recognized, but no corresponding publisher is found

[ElieTaillard]

I'm encountering an issue when I run the publish_pypi_manually.yml action in my GitHub repository:

This action is configured to call another action, publish_pypi.yml. Here are the details of each YML file:

publish_pypi_manually.yml:

name: Publish PyPI package Manually

on:
  workflow_dispatch:

permissions:
  contents: read
  id-token: write

jobs:
  publish_pypi:
    name: Publish PyPI package
    uses: ./.github/workflows/publish_pypi.yml

publish_pypi.yml:

name: Publish Python Package

on:
  workflow_call:

jobs:
  build-and-pypi-publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write

    steps:
    - uses: actions/checkout@v3
    
    - name: Set up Python
      uses: actions/setup-python@v3
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install build

    - name: Build package
      run: python -m build

    - name: Publish package
      uses: pypa/gh-action-pypi-publish@release/v1
      with:
        repository-url: https://test.pypi.org/legacy/

test pypi screenshot

Despite these configurations, I am receiving an action error. I've confirmed that my test PyPI account is set up for Trusted Publishing, but I'm still facing issues. Could there be a misunderstanding or misconfiguration I'm overlooking?

[webknjaz]

Do you have a link to your workflow run to share?

[webknjaz]

Aha! So here it is: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378#step:7:30.

[webknjaz]

  workflow_call:

Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.

Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?

[webknjaz]

    - name: Build package
      run: python -m build

By the way, it's highly discouraged to run the build within the same job as publishing having access to OIDC.

[ElieTaillard]

  workflow_call:

Oh, that's the problem (or a part of it?). PyPI doesn't currently support reusable workflows: #166.

Though, it's weird that the error is different from that issue. cc @woodruffw could you take a look?

I've been attempting to use the API token method for publishing but encountered issues, specifically the error described in #138. Despite ensuring that my GitHub secret is not empty, I've been unable to successfully utilize this method. Consequently, I switched to Trusted Publishing. However, this switch introduced a new issue, which I mentioned earlier.

Regardless, I'm facing problems with both methods. With the API token, I receive an error stating invalid-publisher: a valid token is recognized, but no corresponding publisher is found (All lookup strategies exhausted). With Trusted Publishing, I encounter an HTTPError: 403 Forbidden. Thus, I'm at an impasse, though at least with Trusted Publishing, I can initiate the upload, unlike with the token method where I encounter an error right at the start.

Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378
Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674

[webknjaz]

Action Issue with Trusted Publisher: https://github.com/ElieTaillard/ikabot/actions/runs/8819839652/job/24212025378

This will not work with reusable workflows, as I mentioned before. It's just not implemented in PyPI yet.

Action Issue with API Token (Publisher removed from test pypi): https://github.com/ElieTaillard/ikabot/actions/runs/8821067830/job/24216114674

This is also going the trusted publishers route because no token is passed to action. You're trying to pass it but it never reaches the action. The reason is that when you use reusable workflows, they don't have access to secrets. You have to either configure access to all secrets or pass specific ones when calling the workflow. Here's the corresponding GitHub doc that you should follow in order to pass data from the calling workflow to the called one: https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow.

Also, make sure to drop the id-token: write privilege from all the places where you don't end up using it.

To summarize:

1. You can make trusted publishers work by moving the job calling the action into the top-level workflow, out of the reusable one
2. Alternatively, you can make tokens work by actually passing them properly per GitHub's docs

[ElieTaillard]

@webknjaz
Thank you so much for the valuable information! I wasn't aware of the limitations regarding secrets in reusable workflows, and your explanation has really helped me understand how they work. Following your advice, I've opted to use the API token method by specifying secrets in the workflows that use my reusable workflow.

I also wanted to share some good news — thanks in part to your guidance, I've successfully published a new version of my package (with github actions). Here is the link: ikabot on PyPI.

Since my issue has been resolved, I'm closing the issue. Thank you again for your support and patience!

[webknjaz]

You're welcome!