Skip to content

Add environment: pypi to publish job to match trusted publisher#4

Merged
mstorath merged 2 commits into
mainfrom
claude/rename-release-to-pypi-2026-05
May 7, 2026
Merged

Add environment: pypi to publish job to match trusted publisher#4
mstorath merged 2 commits into
mainfrom
claude/rename-release-to-pypi-2026-05

Conversation

@mstorath
Copy link
Copy Markdown
Owner

@mstorath mstorath commented May 7, 2026
edited
Loading

Summary

Adds environment: pypi to the publish job in .github/workflows/release.yml so the OIDC token claim matches the PyPI trusted-publisher entry (which is registered with environment name pypi).

Why

The first v1.0.1 publish failed with:

invalid-publisher: valid token, but no corresponding publisher
* environment: MISSING

PyPI's pending publisher requires the environment claim to match what's registered. The workflow had no environment: declaration on the publish job, so the claim came through as MISSING. Adding environment: pypi makes the claim present and matching.

What changed

Single 1-line addition in the publish job:

  publish:
    name: Publish to PyPI
    runs-on: ubuntu-latest
    needs: [linux, macos, windows, sdist]
    if: startsWith(github.ref, 'refs/tags/v')
    environment: pypi    # ← added
    steps:

(The PR history contains a misguided rename-then-revert; squash-merging produces just the 1-line net change.)

Required follow-up after merging

The existing v1.0.1 tag points at a commit that doesn't have environment: pypi, so re-running its workflow will still fail. Two user-side steps:

  1. Delete the v1.0.1 tag (no PyPI artifact was ever published for it): 
    git tag -d v1.0.1
git push origin --delete v1.0.1
  2. Re-tag at the merged main HEAD: 
    git checkout main && git pull
git tag -a v1.0.1 -m "First PyPI release; continues MATLAB version line"
git push origin v1.0.1

The publish workflow will then run with environment: pypi claim, OIDC matches the publisher, PyPI accepts.

GitHub Environment requirement

Note: trusted publishing with an environment also requires that a GitHub Environment named pypi exists on the repository (Settings → Environments). If it doesn't exist yet, GitHub will fail the job with "Value 'pypi' is not valid" when looking up the environment. Worth checking before re-tagging.

Test plan

@mstorath mstorath changed the title Rename release.yml -> pypi.yml to match PyPI trusted publisher Add environment: pypi to publish job to match trusted publisher May 7, 2026
@mstorath mstorath merged commit 866eb50 into main May 7, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mstorath