From ef399de0920f4e3426850ab4e48da01f9b02f969 Mon Sep 17 00:00:00 2001 From: Will Jones Date: Fri, 24 Apr 2026 20:53:06 -0700 Subject: [PATCH] ci: switch PyPI publish to OIDC trusted publishing (#3302) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Replaces `LANCEDB_PYPI_API_TOKEN` (long-lived token) with OIDC trusted publishing via `pypa/gh-action-pypi-publish` - Adds `id-token: write` permission to linux/mac/windows jobs - Removes `twine`-based upload and the `pypi_token` input from `upload_wheel` composite action - Enables PEP 740 Sigstore attestations on published wheels as a bonus After merging, rotate/revoke the `LANCEDB_PYPI_API_TOKEN` secret. Closes #3294 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 --- .github/workflows/pypi-publish.yml | 12 ++++++--- .github/workflows/upload_wheel/action.yml | 31 ++++++++--------------- 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 976dec77f..ca6e3219b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -21,6 +21,9 @@ jobs: linux: name: Python ${{ matrix.config.platform }} manylinux${{ matrix.config.manylinux }} timeout-minutes: 60 + permissions: + id-token: write + contents: read strategy: matrix: config: @@ -60,10 +63,12 @@ jobs: - uses: ./.github/workflows/upload_wheel if: startsWith(github.ref, 'refs/tags/python-v') with: - pypi_token: ${{ secrets.LANCEDB_PYPI_API_TOKEN }} fury_token: ${{ secrets.FURY_TOKEN }} mac: timeout-minutes: 90 + permissions: + id-token: write + contents: read runs-on: ${{ matrix.config.runner }} strategy: matrix: @@ -88,10 +93,12 @@ jobs: - uses: ./.github/workflows/upload_wheel if: startsWith(github.ref, 'refs/tags/python-v') with: - pypi_token: ${{ secrets.LANCEDB_PYPI_API_TOKEN }} fury_token: ${{ secrets.FURY_TOKEN }} windows: timeout-minutes: 60 + permissions: + id-token: write + contents: read runs-on: windows-latest steps: - uses: actions/checkout@v4 @@ -110,7 +117,6 @@ jobs: - uses: ./.github/workflows/upload_wheel if: startsWith(github.ref, 'refs/tags/python-v') with: - pypi_token: ${{ secrets.LANCEDB_PYPI_API_TOKEN }} fury_token: ${{ secrets.FURY_TOKEN }} gh-release: if: startsWith(github.ref, 'refs/tags/python-v') diff --git a/.github/workflows/upload_wheel/action.yml b/.github/workflows/upload_wheel/action.yml index 03725d03f..8bcdb7a88 100644 --- a/.github/workflows/upload_wheel/action.yml +++ b/.github/workflows/upload_wheel/action.yml @@ -2,9 +2,6 @@ name: upload-wheel description: "Upload wheels to Pypi" inputs: - pypi_token: - required: true - description: "release token for the repo" fury_token: required: true description: "release token for the fury repo" @@ -12,12 +9,6 @@ inputs: runs: using: "composite" steps: - - name: Install dependencies - shell: bash - run: | - python -m pip install --upgrade pip - pip install twine - python3 -m pip install --upgrade pkginfo - name: Choose repo shell: bash id: choose_repo @@ -27,19 +18,17 @@ runs: else echo "repo=pypi" >> $GITHUB_OUTPUT fi - - name: Publish to PyPI + - name: Publish to Fury + if: steps.choose_repo.outputs.repo == 'fury' shell: bash env: FURY_TOKEN: ${{ inputs.fury_token }} - PYPI_TOKEN: ${{ inputs.pypi_token }} run: | - if [[ ${{ steps.choose_repo.outputs.repo }} == fury ]]; then - WHEEL=$(ls target/wheels/lancedb-*.whl 2> /dev/null | head -n 1) - echo "Uploading $WHEEL to Fury" - curl -f -F package=@$WHEEL https://$FURY_TOKEN@push.fury.io/lancedb/ - else - twine upload --repository ${{ steps.choose_repo.outputs.repo }} \ - --username __token__ \ - --password $PYPI_TOKEN \ - target/wheels/lancedb-*.whl - fi + WHEEL=$(ls target/wheels/lancedb-*.whl 2> /dev/null | head -n 1) + echo "Uploading $WHEEL to Fury" + curl -f -F package=@$WHEEL https://$FURY_TOKEN@push.fury.io/lancedb/ + - name: Publish to PyPI + if: steps.choose_repo.outputs.repo == 'pypi' + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: target/wheels/