Skip to content

publish.yml

Verifies that the triggering tag is reachable from origin/main, builds the wheel and sdist with uv build, and uploads them as a workflow artifact named dist. It does not publish to PyPI directly.

Why the publish step is not here

PyPI OIDC trusted publishing matches the job_workflow_ref claim in the OIDC token against the configured trusted publisher. When pypa/gh-action-pypi-publish runs inside a reusable workflow in a different repository (cava-devops), the job_workflow_ref points to cava-devops, not the package repo. This causes an invalid-publisher error.

The upload step must therefore live in the calling repo's publish.yml as an inline job, after downloading the dist artifact produced here.

Inputs

Input Type Default Description
python-version string 3.12 Python version used to build the wheel

Usage

# .github/workflows/publish.yml in each package repo
name: Publish
on:
  push:
    tags: ['v*']

jobs:
  build:
    uses: AustralianCancerDataNetwork/cava-devops/.github/workflows/publish.yml@main

  publish:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    environment:
      name: pypi
      url: https://pypi.org/p/<package-name>
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: dist
          path: dist/
      - uses: pypa/gh-action-pypi-publish@release/v1

Success

Replace <package-name> with the PyPI slug.

Tag verification

The Verify tag is on main step fails if the tag was created on a branch that has not been merged. This prevents publishing code that bypassed review.