Skip to content

ci: Migrate release workflow to Trusted Publishing#517

Merged
gjtorikian merged 5 commits intomainfrom
birdcar/trusted-publishing
Jan 21, 2026
Merged

ci: Migrate release workflow to Trusted Publishing#517
gjtorikian merged 5 commits intomainfrom
birdcar/trusted-publishing

Conversation

@birdcar
Copy link
Contributor

@birdcar birdcar commented Jan 15, 2026
edited
Loading

Description

This PR migrates our PyPI release publishing from API token authentication to Trusted Publishing (OIDC) for improved security.

Additionally, while working on the PR I reviewed the uv example workflow and came to the realization that our previous release strategy merely duplicated the testing strategy from our CI tests (i.e. using pytest in a virtual environment) and not whether or not the package would be importable by clients and that all modules were accessible.

The release workflow now operates in isolated stages:

  1. Build the package
  2. Smoke test against each supported version of Python, failing the release if there's an issue
  3. Upload the package to PyPI via Trusted Publishing token

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

@birdcar birdcar requested a review from gjtorikian January 15, 2026 14:57
@birdcar birdcar self-assigned this Jan 15, 2026
@birdcar birdcar requested a review from a team as a code owner January 15, 2026 14:57
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 15, 2026

Greptile Summary

This PR successfully migrates the PyPI release workflow from API token authentication to OpenID Connect (OIDC) Trusted Publishing, significantly improving security by eliminating the need for long-lived API tokens. The workflow now operates in three isolated stages: build, comprehensive smoke testing across all supported Python versions (3.8-3.14), and publishing to PyPI.

Key improvements:

  • Security enhancement: Replaced TWINE_PASSWORD secret with OIDC-based Trusted Publishing using id-token: write permission
  • Better testing strategy: Added comprehensive smoke tests that verify the actual package importability and module accessibility rather than just running pytest in the build environment
  • Multi-version validation: Tests both wheel and sdist distributions across all 7 supported Python versions (3.8-3.14) before publishing
  • Proper job isolation: Separated build, test, and publish concerns with artifact passing between stages

The smoke test suite is thorough, covering package imports, version metadata, type markers (py.typed), client instantiation (both sync and async), all module accessibility, core type imports, exception classes, and dependency availability.

Confidence Score: 5/5

  • This PR is safe to merge with no security or functional risks
  • The changes follow industry best practices for PyPI publishing, improve security by eliminating API tokens, add comprehensive pre-release validation across all supported Python versions, and properly implement OIDC Trusted Publishing with correct permissions scoping
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Migrated to Trusted Publishing with OIDC authentication, removed API token usage, added comprehensive smoke testing stage across all Python versions (3.8-3.14) before publishing
tests/smoke_test.py New comprehensive smoke test suite verifying package installation, imports, type markers, client instantiation, module accessibility, and dependency availability across both wheel and sdist distributions

Sequence Diagram

sequenceDiagram
    participant GH as GitHub (Release Event)
    participant Build as Build Job
    participant Artifacts as GitHub Artifacts
    participant Smoke as Smoke Test Job (Matrix 3.8-3.14)
    participant Publish as Publish Job
    participant PyPI as PyPI (OIDC)

    GH->>Build: Trigger on release published
    Build->>Build: Checkout code
    Build->>Build: Install uv
    Build->>Build: uv build (wheel + sdist)
    Build->>Artifacts: Upload dist/ artifacts
    
    Artifacts->>Smoke: Download dist/ artifacts
    Note over Smoke: Runs in parallel for each Python version
    Smoke->>Smoke: Install uv
    Smoke->>Smoke: Test wheel: uv run --isolated --with dist/*.whl
    Smoke->>Smoke: Test sdist: uv run --isolated --with dist/*.tar.gz
    Smoke->>Smoke: Verify imports, types, clients, modules
    
    alt All smoke tests pass
        Artifacts->>Publish: Download dist/ artifacts
        Publish->>Publish: Install uv
        Publish->>PyPI: uv publish (Trusted Publishing OIDC)
        PyPI-->>Publish: Package published
    else Any smoke test fails
        Smoke-->>GH: Workflow fails, no publish
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@birdcar birdcar force-pushed the birdcar/trusted-publishing branch from dc2081a to 5cf8f99 Compare January 15, 2026 15:52
@birdcar
ci: Migrate release workflow to Trusted Publishing
3a52171 
- Replace Twine/token-based auth with PyPI Trusted Publishing
- Add smoke tests to verify wheel and sdist before publishing
- Run smoke tests against all supported Python versions (3.8-3.14)
- Use matrix strategy for parallel testing across versions
- Use uv publish for streamlined publishing

Workflow structure:
1. build: Create wheel and sdist artifacts
2. smoke-test: Test on Python 3.8-3.14 in parallel
3. publish: Upload to PyPI after all tests pass

Smoke tests verify:
- Package imports correctly
- Both sync/async clients instantiate
- All module properties accessible
- Core types and exceptions importable
- Dependencies properly bundled
- py.typed marker present
@birdcar
chore: ignore unused import lint errors in smoke test
2ee9d93
@birdcar
ci: configure explicit Python version for smoke tests
aaf2930 
Pass python-version to setup-uv action to ensure the correct
Python version is installed before running smoke tests. Enable
cache-python to speed up subsequent workflow runs.
@birdcar birdcar force-pushed the birdcar/trusted-publishing branch from ad39cd0 to aaf2930 Compare January 15, 2026 16:10
gjtorikian
gjtorikian approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@gjtorikian gjtorikian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@gjtorikian gjtorikian merged commit bf23a30 into main Jan 21, 2026
11 checks passed
@gjtorikian gjtorikian deleted the birdcar/trusted-publishing branch January 21, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gjtorikian gjtorikian gjtorikian approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@birdcar birdcar

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@birdcar @gjtorikian