fix: fix trusted publishing (#85)

hweawer · Copilot · web-flow · commit 2e9e7fa5e077 · 2026-03-06T09:57:55.000+01:00
* fix: fix trusted publishing

* fix: try different trusted publishing

* fix: script

* fix: export

* fix: export

* fix: move common code

* fix: publish on each commi

* fix: version

* Update .github/workflows/test-publish.yml

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* fix: fail on bad response

* fix: publish to test on push to main

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/scripts/pypi_oidc_upload.py b/.github/scripts/pypi_oidc_upload.py
@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+"""
+PyPI OIDC Trusted Publishing Upload Script
+
+Exchanges OIDC token for PyPI API token and uploads packages using twine.
+Replicates the functionality of pypa/gh-action-pypi-publish.
+"""
+import os
+import sys
+import subprocess
+import argparse
+import requests
+from pathlib import Path
+
+
+def exchange_oidc_token(oidc_token: str, token_exchange_url: str) -> str:
+    """Exchange OIDC token for PyPI API token."""
+    print(f"📤 Exchanging OIDC token at {token_exchange_url}...")
+    try:
+        mint_token_resp = requests.post(
+            token_exchange_url,
+            json={'token': oidc_token},
+            timeout=5
+        )
+        
+        if not mint_token_resp.ok:
+            try:
+                error_payload = mint_token_resp.json()
+                errors = error_payload.get('errors', [])
+                error_messages = '\n'.join(
+                    f"  - {err.get('code', 'unknown')}: {err.get('description', 'no description')}"
+                    for err in errors
+                )
+                print(f"❌ Token exchange failed:")
+                print(error_messages)
+                print("\n💡 This usually means:")
+                print("   - Trusted publisher configuration doesn't match")
+                print("   - Repository, workflow, or environment name mismatch")
+                print("   - Project name mismatch")
+            except:
+                print(f"❌ Token exchange failed: HTTP {mint_token_resp.status_code}")
+                print(f"Response: {mint_token_resp.text[:500]}")
+            sys.exit(1)
+        
+        mint_token_payload = mint_token_resp.json()
+        pypi_token = mint_token_payload.get('token')
+        
+        if not pypi_token:
+            print("❌ Token exchange response missing 'token' field")
+            print(f"Response: {mint_token_payload}")
+            sys.exit(1)
+        
+        print("✅ Successfully exchanged OIDC token for PyPI API token")
+        return pypi_token
+        
+    except requests.exceptions.RequestException as e:
+        print(f"❌ Token exchange request failed: {e}")
+        sys.exit(1)
+    except Exception as e:
+        print(f"❌ Unexpected error during token exchange: {e}")
+        sys.exit(1)
+
+
+def upload_packages(repository_url: str, skip_existing: bool = False) -> int:
+    """Upload packages to PyPI using twine."""
+    print("📤 Uploading packages with twine...")
+    dist_dir = Path("dist")
+    dist_files = list(dist_dir.glob("*"))
+    
+    if not dist_files:
+        print("❌ No distribution files found in dist/")
+        sys.exit(1)
+    
+    oidc_token = os.environ.get('OIDC_TOKEN')
+    token_exchange_url = os.environ.get('TOKEN_EXCHANGE_URL')
+    
+    if not oidc_token:
+        print("❌ OIDC token not found")
+        sys.exit(1)
+    
+    if not token_exchange_url:
+        print("❌ Token exchange URL not found")
+        sys.exit(1)
+    
+    # Exchange OIDC token for PyPI API token
+    pypi_token = exchange_oidc_token(oidc_token, token_exchange_url)
+    
+    # Set up twine environment
+    os.environ['TWINE_USERNAME'] = '__token__'
+    os.environ['TWINE_PASSWORD'] = pypi_token
+    
+    # Build twine command
+    twine_cmd = [
+        'twine', 'upload',
+        '--repository-url', repository_url,
+        '--verbose'
+    ]
+    
+    if skip_existing:
+        twine_cmd.append('--skip-existing')
+    
+    twine_cmd.extend([str(f) for f in dist_files])
+    
+    # Run twine upload
+    result = subprocess.run(
+        twine_cmd,
+        capture_output=True,
+        text=True
+    )
+    
+    print(result.stdout)
+    if result.stderr:
+        print(result.stderr, file=sys.stderr)
+    
+    return result.returncode
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description='Upload Python packages to PyPI using OIDC trusted publishing'
+    )
+    parser.add_argument(
+        '--repository-url',
+        required=True,
+        help='PyPI repository URL (e.g., https://upload.pypi.org/legacy/ or https://test.pypi.org/legacy/)'
+    )
+    parser.add_argument(
+        '--skip-existing',
+        action='store_true',
+        help='Skip uploading files that already exist on PyPI'
+    )
+    
+    args = parser.parse_args()
+    
+    exit_code = upload_packages(
+        repository_url=args.repository_url,
+        skip_existing=args.skip_existing
+    )
+    sys.exit(exit_code)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/.github/scripts/setup_oidc_token.sh b/.github/scripts/setup_oidc_token.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# Setup OIDC token for PyPI trusted publishing
+# Usage: setup_oidc_token.sh <repository_domain>
+# Example: setup_oidc_token.sh pypi.org
+#          setup_oidc_token.sh test.pypi.org
+
+set -euo pipefail
+
+REPOSITORY_DOMAIN="${1:-}"
+
+if [ -z "$REPOSITORY_DOMAIN" ]; then
+  echo "❌ Repository domain is required"
+  echo "Usage: $0 <repository_domain>"
+  exit 1
+fi
+
+# Step 1: Get audience from PyPI
+echo "🔄 Getting OIDC audience from PyPI..."
+AUDIENCE_URL="https://${REPOSITORY_DOMAIN}/_/oidc/audience"
+AUDIENCE_RESPONSE=$(curl -sS -w "\n%{http_code}" "$AUDIENCE_URL")
+HTTP_CODE=$(echo "$AUDIENCE_RESPONSE" | tail -n1)
+AUDIENCE_RESPONSE=$(echo "$AUDIENCE_RESPONSE" | sed '$d')
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "❌ Failed to get audience from PyPI (HTTP $HTTP_CODE). Response: ${AUDIENCE_RESPONSE:-<empty>}"
+  exit 1
+fi
+
+OIDC_AUDIENCE=$(echo "$AUDIENCE_RESPONSE" | jq -r '.audience')
+if [ -z "$OIDC_AUDIENCE" ] || [ "$OIDC_AUDIENCE" = "null" ]; then
+  echo "❌ Invalid audience response: $AUDIENCE_RESPONSE"
+  exit 1
+fi
+
+echo "✅ Got OIDC audience: $OIDC_AUDIENCE"
+
+# Step 2: Get OIDC token from GitHub Actions with the correct audience
+echo "🔄 Getting OIDC token from GitHub Actions..."
+OIDC_RAW=$(curl -sS -w "\n%{http_code}" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+  "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$OIDC_AUDIENCE")
+HTTP_CODE=$(echo "$OIDC_RAW" | tail -n1)
+OIDC_JSON=$(echo "$OIDC_RAW" | sed '$d')
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "❌ Failed to get OIDC token (HTTP $HTTP_CODE). Response: ${OIDC_JSON:-<empty>}"
+  exit 1
+fi
+OIDC_TOKEN=$(echo "$OIDC_JSON" | jq -r '.value')
+
+if [ -z "$OIDC_TOKEN" ] || [ "$OIDC_TOKEN" = "null" ]; then
+  echo "❌ Invalid OIDC token response: $OIDC_JSON"
+  exit 1
+fi
+
+echo "✅ OIDC token obtained (length: ${#OIDC_TOKEN})"
+
+# Step 3: Set up token exchange URL
+TOKEN_EXCHANGE_URL="https://${REPOSITORY_DOMAIN}/_/oidc/mint-token"
+
+# Export for Python script
+export OIDC_TOKEN
+export TOKEN_EXCHANGE_URL
+
+echo "✅ OIDC token setup complete"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -41,8 +41,17 @@ jobs:
         run: |
           poetry build --no-interaction
 
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: Get OIDC token and publish to PyPI
+        run: |
+          # Setup OIDC token (sets OIDC_TOKEN and TOKEN_EXCHANGE_URL environment variables)
+          source .github/scripts/setup_oidc_token.sh pypi.org
+          
+          # Install dependencies
+          pip install twine requests
+          
+          # Exchange token and upload using shared script
+          python3 .github/scripts/pypi_oidc_upload.py \
+            --repository-url "https://upload.pypi.org/legacy/"
 
       - name: Success message
         run: echo "ℹ️ Published version ${{ steps.extract-version.outputs.version }} 🎉"
diff --git a/.github/workflows/test-publish.yml b/.github/workflows/test-publish.yml
@@ -1,8 +1,8 @@
 name: Test PyPI Publishing
 on:
   workflow_dispatch:
-  pull_request:
   push:
+    branches: [main]
 
 jobs:
   test-publish:
@@ -34,7 +34,23 @@ jobs:
       - name: Extract version
         id: extract-version
         run: |
-          echo "version=$(poetry version -s)" >> $GITHUB_OUTPUT
+          BASE_VERSION=$(poetry version -s)
+          # For test publishes, use dev version with a unique number per commit
+          # PyPI doesn't allow local versions (with +), so we use .devN format
+          # Use epoch seconds as dev number for uniqueness (modulo to keep it reasonable)
+          TIMESTAMP=$(date +%s)
+          DEV_NUMBER=$((TIMESTAMP % 10000000))  # Keep it under 10 million
+          # Use dev version format: 2.2.2 -> 2.2.3.dev1234567 (increment patch, add dev number)
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$BASE_VERSION"
+          TEST_VERSION="${MAJOR}.${MINOR}.$((PATCH + 1)).dev${DEV_NUMBER}"
+          echo "base_version=$BASE_VERSION" >> $GITHUB_OUTPUT
+          echo "version=$TEST_VERSION" >> $GITHUB_OUTPUT
+          echo "test_version=$TEST_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Set test version
+        run: |
+          # Temporarily set version with dev version + commit SHA for test publish
+          poetry version ${{ steps.extract-version.outputs.test_version }}
 
       - name: Build distribution
         run: |
@@ -45,13 +61,18 @@ jobs:
           ls -la dist/
           echo "✅ Distributions built successfully"
 
-      - name: Test PyPI publish (dry-run check)
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
-          skip-existing: true
-          print-hash: true
-          verbose: true
+      - name: Get OIDC token and publish to TestPyPI
+        run: |
+          # Setup OIDC token (sets OIDC_TOKEN and TOKEN_EXCHANGE_URL environment variables)
+          source .github/scripts/setup_oidc_token.sh test.pypi.org
+          
+          # Install dependencies
+          pip install twine requests
+          
+          # Exchange token and upload using shared script
+          # No --skip-existing needed since each commit has a unique version
+          python3 .github/scripts/pypi_oidc_upload.py \
+            --repository-url "https://test.pypi.org/legacy/"
 
       - name: Success message
         run: echo "ℹ️ Test publish completed for version ${{ steps.extract-version.outputs.version }} 🎉"
