Supported PyPI trusted publishers

[lpsinger]

See https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/, https://docs.pypi.org/trusted-publishers/using-a-publisher/.

To support trusted publishers, add this to the pypa/gh-action-pypi-publish step:

permissions:
  id-token: write

Perhaps a boolean flag to turn this on or off?

[ConorMacBride]

I think we need to wait for pypi/warehouse#11096 to be closed before this will work in the reusable workflows unfortunately.

Once it is, adding what you have above to the upload job in each publish workflow should be all that is needed. The user and password inputs should be okay to keep — it will attempt the trusted publisher authentication when the password is empty. I think it should be fine without an additional flag to enable.

[pllim]

Any update on this? Has the situation changed? PyPA merged the recommendations into https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

[Cadair]

Last I checked (a couple of weeks ago) it's still unsupported upstream.

[Cadair]

Looks like if you forked the templates into the same org you could maybe make it work: pypi/warehouse#11096 (comment)