Currently, PTMCMCSampler uses traditional API token authentication (PYPI_USERNAME and PYPI_PASSWORD secrets) for PyPI uploads in the GitHub Actions workflow. This approach is less secure and more complex to manage than GitHub's trusted publishing feature.
Current Setup:
- Uses
twine upload with stored credentials
- Requires manual management of PyPI API tokens
- Credentials stored in GitHub secrets
Proposed Improvement:
- Migrate to GitHub's trusted publishing using
pypa/gh-action-pypi-publish@release/v1
- Use OIDC (OpenID Connect) for authentication
- Remove dependency on stored API credentials
Benefits:
- Enhanced security (no long-lived API tokens)
- Simplified credential management
- Consistent with enterprise and enterprise_extensions packages
- Follows PyPI's recommended authentication method
- Automatic token rotation
Implementation Steps:
- Configure trusted publishing in PyPI project settings
- Update GitHub Actions workflow to use
pypa/gh-action-pypi-publish
- Remove
TWINE_USERNAME and TWINE_PASSWORD from workflow
- Add
id-token: write permission to workflow
- Test release process
References:
Currently, PTMCMCSampler uses traditional API token authentication (
PYPI_USERNAMEandPYPI_PASSWORDsecrets) for PyPI uploads in the GitHub Actions workflow. This approach is less secure and more complex to manage than GitHub's trusted publishing feature.Current Setup:
twine uploadwith stored credentialsProposed Improvement:
pypa/gh-action-pypi-publish@release/v1Benefits:
Implementation Steps:
pypa/gh-action-pypi-publishTWINE_USERNAMEandTWINE_PASSWORDfrom workflowid-token: writepermission to workflowReferences: