-
My understanding of the Trusted Publisher/OIDC approach is that I do not need to specify secrets; I set up the relevant pending publisher on PyPI, and changed my workflow to set
I have a public repo set up with a "deploy" environment. Before I found out about Trusted Publisher, I added a PyPI secret to that environment (the history of the workflow will show where I was initially using the "pass a secret" approach). My current workflow that failed: https:/cricalix/python-lsp-pyre/blob/54789ccf5f87ebb526917a671678fc7e902a4db9/.github/workflows/python-publish.yml The error: Warning: It looks like you are trying to use an API token to authenticate in the package index and your token value does not start with "pypi-" as it typically should. This may cause an authentication error. Please verify that you have copied your token properly if such an error occurs. I have also tried removing the environment requirement on the PyPI side, and removed the environment setup from the workflow (main will show it). This fails the same way. What elementary mistake am I making that's covered in the fine manual that I've read multiple times? :) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
I'll also add that I tested with a private repo against the PyPI test index, but in that case I used the |
Beta Was this translation helpful? Give feedback.
-
Of course, one posts a rubber-duck type question and then thinks of what the duck would say. I moved the SHA foward to f47b347 which advocates for the OIDC approach, and it all works. I don't know where I got the previous SHA from - probably Github documentation/template? |
Beta Was this translation helpful? Give feedback.
Of course, one posts a rubber-duck type question and then thinks of what the duck would say.
I moved the SHA foward to f47b347 which advocates for the OIDC approach, and it all works. I don't know where I got the previous SHA from - probably Github documentation/template?