ADR Suggestion Use PyPI Trusted Publishing via GitHub Actions

[AndrewSazonov]

Currently, when publishing Python packages to PyPI from GitHub CI, we usually rely on personal API tokens or passwords stored as GitHub secrets. I suggest switching to PyPI Trusted Publishing instead.

Trusted Publishing uses OpenID Connect (OIDC) and allows PyPI to trust GitHub Actions directly. This means:

• no personal API tokens,
• no long-lived secrets.

This setup needs to be done once per project on PyPI.

Configuration steps

1. Go to https://pypi.org and log in
2. Open Your account → Publishing (left sidebar)
3. Under Add a new publisher:
 Select GitHub Actions and fill in:
   • Organization: easyscience
   • Repository: your library repo name, e.g. peasy-lib, diffraction-lib, etc.
   • Workflow name: pypi-publish.yml
   • Environment name: Leave empty
4. Click Add

Result

After this is configured, the pypi-publish.yml workflow (added to the repository via the Copier templates) will automatically publish the package to PyPI whenever a new GitHub release is created.

[rozyczko]

No-brainer addition. Let's do it.

[damskii9992]

Like what Piotr says. I already used this when trying to publish pymuhrec earlier and I can confirm that it works and is relatively straightforward to use, it is much simpler than using GH secrets.

I think you can safely close this discussion and make a proper ADR out of this one without any further discussion.