Use Trusted Publishers for publishing releases to PyPI

[matthewfeickert]

At the moment uproot still uses long lived API token based publishing to PyPI

uproot5/.github/workflows/deploy.yml

Lines 43 to 45 in 734700e

	- uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ secrets.pypi_password }}

It would be preferable from a security and long term security maintenance view (c.f. scientific-python/summit-2024#9) to use Trusted Publishers for this.

Given that adding a trusted publisher to an existing PyPI project requires owner level control of the PyPI project, I can't make the necessary changes to enable this, but c.f. the following PRs as examples of what is needed after the fact:

• ci: Use PyPI Trusted Publisher for publishing package pyhf#2183
• ci: publish to PyPI with OIDC awkward#2450

[ianna]

I have added a trusted publisher to a project uproot:

Publisher information:

Publisher name: GitHub
Workflow: deploy.yml
Owner: scikit-hep
Repository: uproot5
Environment: pypi

@matthewfeickert - FYI

[matthewfeickert]

I have added a trusted publisher to a project uproot

@ianna Nice. 👍 The next step is to update

uproot5/.github/workflows/deploy.yml

Lines 43 to 45 in 06243c3

	- uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ secrets.pypi_password }}

to just be

 - uses: pypa/gh-action-pypi-publish@release/v1 
   with: 
     print-hash: true

[ianna]

I have added a trusted publisher to a project uproot

@ianna Nice. 👍 The next step is to update

uproot5/.github/workflows/deploy.yml

Lines 43 to 45 in 06243c3

• uses: pypa/gh-action-pypi-publish@release/v1
  with:
  password: ${{ secrets.pypi_password }}

to just be

• uses: pypa/gh-action-pypi-publish@release/v1
  with:
  print-hash: true

@matthewfeickert - it seems that something else is needed because upload is it's not working: https://github.com/scikit-hep/uproot5/actions/runs/13290591729/job/37236803777#step:5:140 Could you, please, have a look? Thanks!

[matthewfeickert]

it seems that something else is needed because upload is it's not working: https://github.com/scikit-hep/uproot5/actions/runs/13290591729/job/37236803777#step:5:140 Could you, please, have a look? Thanks!

@ianna given the error message,

Token request failed: the server refused the request for the following reasons:

* `invalid-publisher`: valid token, but no corresponding publisher (All lookup strategies exhausted)

This generally indicates a trusted publisher configuration error, but could
also indicate an internal error on GitHub or PyPI's part.

does https://pypi.org/project/uproot/ have things setup for trusted publishers? (c.f. https://docs.pypi.org/trusted-publishers/adding-a-publisher/)

Can you show me what the configuration settings on PyPI are for the trusted publisher?

[ianna]

it seems that something else is needed because upload is it's not working: https://github.com/scikit-hep/uproot5/actions/runs/13290591729/job/37236803777#step:5:140 Could you, please, have a look? Thanks!

@ianna given the error message,

Token request failed: the server refused the request for the following reasons:

* `invalid-publisher`: valid token, but no corresponding publisher (All lookup strategies exhausted)

This generally indicates a trusted publisher configuration error, but could
also indicate an internal error on GitHub or PyPI's part.

does https://pypi.org/project/uproot/ have things setup for trusted publishers? (c.f. https://docs.pypi.org/trusted-publishers/adding-a-publisher/)

Can you show me what the configuration settings on PyPI are for the trusted publisher?

Thanks @matthewfeickert ! It's https://github.com/scikit-hep/uproot5/blob/125493879043661bf14a08f269cce5baa36884ae/.github/workflows/deploy.yml

[matthewfeickert]

@ianna Thanks. It is because there's no pypi publishing environment created for scikit-hep/uproot5 (c.f. https://github.com/scikit-hep/uproot5/settings/environments).

From the guide:

For GitHub Actions, you must provide the repository owner's name, the repository's name, and the filename of the GitHub Actions workflow that's authorized to upload to PyPI. In addition, you may optionally provide the name of a GitHub Actions environment.

You'd also need to add under the publish job

uproot5/.github/workflows/deploy.yml

Line 20 in 1254938

publish:

an environment key like

...
    # Restrict to the environment set for the trusted publisher
    environment:
      name: pypi

where the environment.name needs to match the name of the environment you create.

---

For comparison, pyhf uses a GitHub Actions publishing environment named "publish-package" and so the publish step there has

...
    environment:
      name: publish-package

That "publish-package" environment has protection rules that restrict what branches/tags/refs can be published from

[ianna]

@matthewfeickert - Thanks! Indeed it was the environment. I will need to configure it properly. Thanks!