Publishes a Python project to PyPI, the Python Package Index.
steps:
- name: 'Publish to PyPI'
uses: lfreleng-actions/pypi-publish-action@main
with:
environment: 'development'
attestations: true| Name | Required | Description |
|---|---|---|
| environment | False | Mandatory environment, e.g. development, production |
| tag | False | Tag for this build/release |
| artefact_path | False | Path/location of build artefacts |
| one_password_item | False | 1Password vault credential for PyPI publishing |
| op_service_account_token | False | 1Password service account credential to access vault |
| pypi_credential | False | PyPI API credential from GitHub secrets |
| publish_disable | False | Disables the final publishing step that uploads packages |
| attesations | False | Enables GitHub support for artefact attestations |
| no_checkout | False | Don't perform a checkout of the local repository |
Uses the upstream actions:
The second action above is a modified/forked version of another action:
Publishes using three different authentication methods.
In order of preference:
- Trusted Publishing (Uses an OIDC token)
- Static credential retrieved from 1Password vault using a service account
- A static credential from GitHub secrets
Note: the first/initial publishing step cannot leverage Trusted Publishing
The first time a given repository gets published to PyPI, a static API key is necessary. After this, setup trusted publishing for the project in the PyPI web portal.