Adding a trusted publisher to an existing PyPI project
Adding a trusted publisher to a PyPI project only requires a single setup step.
On the "Your projects" page, click "Manage" on any project you'd like to configure:
Then, click on "Publishing" in the project's sidebar:
That link will take you to the publisher configuration page for the project, which will allow you to configure trusted publishers for the different platforms supported by PyPI (such as GitHub Actions).
To enable a publisher, you need to tell PyPI how to trust it. Each trusted publisher has its own configuration requirements; click the tabs below to see each.
For GitHub Actions, you must provide the repository owner's name, the repository's name, and the filename of the GitHub Actions workflow that's authorized to upload to PyPI. In addition, you may optionally provide the name of a GitHub Actions environment.
For example, if you have a project at https://github.com/octo-org/sampleproject
that uses a publishing workflow defined in .github/workflows/release.yml
and a custom environment named release
, then you'd do the following:
Note
Configuring an environment is optional, but strongly recommended: with a GitHub environment, you can apply additional restrictions to your trusted workflow, such as requiring manual approval on each run by a trusted subset of repository maintainers.
Once you click "Add", your publisher will be registered and will appear at the top of the page:
From this point onwards, the release.yml
workflow on octo-org/sampleproject
will
be able to generate short-lived API tokens from PyPI for the project you've registered
it against.
A publisher can be registered against multiple PyPI projects (e.g. for a multi-project repository), and a single PyPI project can have multiple publishers (e.g. for multiple workflows on different architectures, operating systems).