{"meta":{"title":"Configuring OpenID Connect in PyPI","intro":"Use OpenID Connect within your workflows to authenticate with PyPI.","product":"GitHub Actions","breadcrumbs":[{"href":"/en/actions","title":"GitHub Actions"},{"href":"/en/actions/how-tos","title":"How-tos"},{"href":"/en/actions/how-tos/secure-your-work","title":"Secure your work"},{"href":"/en/actions/how-tos/secure-your-work/security-harden-deployments","title":"Security harden deployments"},{"href":"/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi","title":"OIDC in PyPI"}],"documentType":"article"},"body":"# Configuring OpenID Connect in PyPI\n\nUse OpenID Connect within your workflows to authenticate with PyPI.\n\n## Overview\n\nOpenID Connect (OIDC) allows your GitHub Actions workflows to authenticate with [PyPI](https://pypi.org) to publish Python packages.\n\nThis guide gives an overview of how to configure PyPI to trust GitHub's OIDC as a federated identity, and demonstrates how to use this configuration in the [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish) action to publish packages to PyPI (or other Python package repositories) without any manual API token management.\n\n## Prerequisites\n\n* To learn the basic concepts of how GitHub uses OpenID Connect (OIDC), and its architecture and benefits, see [OpenID Connect](/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).\n\n* Before proceeding, you must plan your security strategy to ensure that access tokens are only allocated in a predictable way. To control how your cloud provider issues access tokens, you **must** define at least one condition, so that untrusted repositories can’t request access tokens for your cloud resources. For more information, see [OpenID Connect](/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud).\n\n## Adding the identity provider to PyPI\n\nTo use OIDC with PyPI, add a trust configuration that links each project on PyPI to each repository and workflow combination that's allowed to publish for it.\n\n1. Sign in to PyPI and navigate to the trusted publishing settings for the project you'd like to configure. For a project named `myproject`, this will be at `https://pypi.org/manage/project/myproject/settings/publishing/`.\n\n2. Configure a trust relationship between the PyPI project and a GitHub repository (and workflow within the repository). For example, if your GitHub repository is at `myorg/myproject` and your release workflow is defined in `release.yml` with an environment of `release`, you should use the following settings for your trusted publisher on PyPI.\n\n   > \\[!NOTE]\n   > Enter these values carefully. Giving the incorrect user, repository, or workflow the ability to publish to your PyPI project is equivalent to sharing an API token.\n\n   * Owner: `myorg`\n   * Repository name: `myproject`\n   * Workflow name: `release.yml`\n   * (Optionally) a GitHub Actions environment name: `release`\n\n## Updating your GitHub Actions workflow\n\nOnce your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.\n\n> \\[!NOTE]\n> When environments are used in workflows or in OIDC policies, we recommend adding protection rules to the environment for additional security. For example, you can configure deployment rules on an environment to restrict which branches and tags can deploy to the environment or access environment secrets. For more information, see [Managing environments for deployment](/en/actions/deployment/targeting-different-environments/managing-environments-for-deployment#deployment-protection-rules).\n\nThe [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish) action has built-in support for trusted publishing, which can be enabled by giving its containing job the `id-token: write` permission and omitting `username` and `password`.\n\nThe following example uses the `pypa/gh-action-pypi-publish` action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.\n\n```yaml copy\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\njobs:\n  release-build:\n    runs-on: ubuntu-latest\n\n    steps:\n      - uses: actions/checkout@v6\n\n      - uses: actions/setup-python@v5\n        with:\n          python-version: \"3.x\"\n\n      - name: build release distributions\n        run: |\n          # NOTE: put your own distribution build steps here.\n          python -m pip install build\n          python -m build\n\n      - name: upload windows dists\n        uses: actions/upload-artifact@v4\n        with:\n          name: release-dists\n          path: dist/\n\n  pypi-publish:\n    runs-on: ubuntu-latest\n    needs:\n      - release-build\n    permissions:\n      id-token: write\n\n    steps:\n      - name: Retrieve release distributions\n        uses: actions/download-artifact@v5\n        with:\n          name: release-dists\n          path: dist/\n\n      - name: Publish release distributions to PyPI\n        uses: pypa/gh-action-pypi-publish@3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f\n```"}