Skip to content

CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (#61669) #61718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (#61669) #61718

wants to merge 19 commits into from

Conversation

evgmosme
Copy link

@evgmosme evgmosme commented Jun 27, 2025
edited
Loading

Summary

This PR enables Trusted Publishing (OIDC) uploads to PyPI when a GitHub release is published.

What’s changed

  • .github/workflows/wheels.yml

    • adds a new publish job that
      1. downloads all wheel / sdist artifacts from upstream jobs;
      2. excludes Pyodide wheels (*pyodide*.whl);
      3. runs pypa/gh-action-pypi-publish@v1 in the pypi environment.

  • doc/source/whatsnew/v3.0.0.rst

    • adds a single Build / CI line announcing the switch to Trusted Publishing

  • doc/source/development/maintaining.rst

    • drop manual twine step and note Trusted Publishing

No other files or CI matrix settings were changed.

evgenii added 13 commits June 26, 2025 16:53
CI: add Trusted Publishing job to wheels workflow (pandas-dev#61669)
a419d40
Remove obsolete standalone publish workflow
abda427
CI: fix wheel-workflow YAML, drop win-arm64
6e9027c
CI: set project name to evgmosme-pandas for TestPyPI
e3e583d
CI: temporarily shrink workflow matrix and add
9f9013e
CI: skip pyodide wheel on TestPyPI upload
4e4cc1e
Restore original wheels.yml from upstream/main
d311ce4
CI: skip win_arm64 for tests, add final publish block
6360900
CI: final Trusted-Publishing workflow (PyPI ready)
c15c176
Docs & CI: add publish-comment header; final PyPI configuration
0332486
DOC: add Build/CI trusted-publishing entry to v3.0.0 whatsnew (pandas…
c675826 
…-dev#61669)
CI: restore project name 'pandas' in pyproject.toml
3cac6a5
CI: normalize line endings in wheels.yml (pre-commit)
45291a7
@evgmosme evgmosme requested a review from mroeschke as a code owner June 27, 2025 08:03
@evgmosme
Copy link
Author

evgmosme commented Jun 27, 2025
edited
Loading

CI failed in the docstring-validation step with

AttributeError: 'getset_descriptor' object has no attribute '__module__'. Did you mean: '__reduce__'?

This occurs before my code runs, so it isn’t caused by the changes in this PR.
It looks related to the latest numpydoc release.
I’ll re-run CI once the upstream fix lands.

@evgmosme evgmosme closed this Jun 27, 2025
@evgmosme evgmosme reopened this Jun 27, 2025
@evgmosme evgmosme mentioned this pull request Jun 27, 2025
Closed
3 tasks
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
mroeschke
mroeschke reviewed Jun 27, 2025
View reviewed changes
@evgmosme evgmosme closed this Jun 28, 2025
@evgmosme evgmosme reopened this Jun 28, 2025
@EpicWink
Copy link

This workflow runs every day, on all pushes, and on all pull requests, but you said "uploads to PyPI when a release tag is pushed" in the description. Perhaps you want to put this in a new publish.yml workflow file, with on: { release: { types: [published] } }.

Because this makes the download-artifacts step run in a different workflow, you'll need to figure out the run-id argument.

You could alternatively add on: { release: { types: [published] } } to the wheels.yml workflow.

You need to update the release process documentation to change the new method for publishing (remove step 5: "Upload wheels to PyPI").

You likely want to document (in this pull request's description, and in the release process documentation) the new pypi GitHub environment needs to exist, and the corresponding publisher needs to be added to the project in PyPI.

@simonjayhawkins simonjayhawkins added Enhancement Build Library building on various platforms CI Continuous Integration labels Jun 30, 2025
@evgmosme evgmosme force-pushed the trusted-publish-pypi branch from d6552ce to 58cb179 Compare June 30, 2025 15:09
@evgmosme evgmosme force-pushed the trusted-publish-pypi branch from 6232f6f to 7359e1b Compare June 30, 2025 15:40
@evgmosme
Copy link
Author

@EpicWink All requested changes are in. Let me know if anything else’s needed - thanks!

EpicWink
EpicWink suggested changes Jul 1, 2025
View reviewed changes
Copy link

@EpicWink EpicWink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You likely want to document (in this pull request's description, and in the release process documentation) the new pypi GitHub environment needs to exist, and the corresponding publisher needs to be added to the project in PyPI.

Still want to do this, at least in this pull request's description

.github/workflows/wheels.yml
publish:
if: >
github.repository == 'pandas-dev/pandas' &&
github.event_name == 'push' &&
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
github.event_name == 'push' &&
github.event_name == 'release' &&

To match documentation

doc/source/development/maintaining.rst

twine upload pandas/dist/pandas-<version>*.{whl,tar.gz} --skip-existing
5. Wheels are uploaded automatically by GitHub Actions
via **Trusted Publishing** when the GitHub *Release*
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
via **Trusted Publishing** when the GitHub *Release*
via [**Trusted Publishing**](https://docs.pypi.org/trusted-publishers/)
when the GitHub [*Release*](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases)

Link to documentation

doc/source/development/maintaining.rst
twine upload pandas/dist/pandas-<version>*.{whl,tar.gz} --skip-existing
5. Wheels are uploaded automatically by GitHub Actions
via **Trusted Publishing** when the GitHub *Release*
is published. No manual ``twine upload`` step is required.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
is published. No manual ``twine upload`` step is required.
is published. Do not run ``twine upload`` manually.

Your language makes it sounds like it's optional to run twine upload, but we actually don't want this (but perhaps you can instead say that twine upload is only for exceptional circumstances).

doc/source/development/maintaining.rst
5. Upload wheels to PyPI::

twine upload pandas/dist/pandas-<version>*.{whl,tar.gz} --skip-existing
5. Wheels are uploaded automatically by GitHub Actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
5. Wheels are uploaded automatically by GitHub Actions
5. Verify wheels are uploaded automatically by GitHub Actions

Actually make step 5 an action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mroeschke mroeschke mroeschke left review comments

@EpicWink EpicWink EpicWink requested changes

Assignees
No one assigned
Labels
Build Library building on various platforms CI Continuous Integration Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ENH: Switch to trusted publishing for package upload to PyPI in CI
4 participants
@evgmosme @EpicWink @mroeschke @simonjayhawkins