CI: add PyPI Trusted-Publishing “publish” job to wheels workflow (#61669) #61718

evgmosme · 2025-06-27T08:03:45Z

closes ENH: Switch to trusted publishing for package upload to PyPI in CI #61669
all code checks passed (pre-commit & CI)
added an entry in doc/source/whatsnew/v3.0.0.rst

Summary

This PR enables Trusted Publishing (OIDC) uploads to PyPI when a GitHub release is published.

What’s changed

.github/workflows/wheels.yml
- adds a new publish job that
  1. downloads all wheel / sdist artifacts from upstream jobs;
  2. excludes Pyodide wheels (*pyodide*.whl);
  3. runs pypa/gh-action-pypi-publish@v1 in the pypi environment.
doc/source/whatsnew/v3.0.0.rst
- adds a single Build / CI line announcing the switch to Trusted Publishing
doc/source/development/maintaining.rst
- drop manual twine step and note Trusted Publishing

No other files or CI matrix settings were changed.

…-dev#61669)

evgmosme · 2025-06-27T08:41:40Z

CI failed in the docstring-validation step with

AttributeError: 'getset_descriptor' object has no attribute '__module__'. Did you mean: '__reduce__'?

This occurs before my code runs, so it isn’t caused by the changes in this PR.
It looks related to the latest numpydoc release.
I’ll re-run CI once the upstream fix lands.

.github/workflows/wheels.yml

doc/source/whatsnew/v3.0.0.rst

.github/workflows/wheels.yml

EpicWink · 2025-06-30T02:17:58Z

This workflow runs every day, on all pushes, and on all pull requests, but you said "uploads to PyPI when a release tag is pushed" in the description. Perhaps you want to put this in a new publish.yml workflow file, with on: { release: { types: [published] } }.

Because this makes the download-artifacts step run in a different workflow, you'll need to figure out the run-id argument.

You could alternatively add on: { release: { types: [published] } } to the wheels.yml workflow.

You need to update the release process documentation to change the new method for publishing (remove step 5: "Upload wheels to PyPI").

You likely want to document (in this pull request's description, and in the release process documentation) the new pypi GitHub environment needs to exist, and the corresponding publisher needs to be added to the project in PyPI.

evgmosme · 2025-06-30T15:54:36Z

@EpicWink All requested changes are in. Let me know if anything else’s needed - thanks!

evgenii added 13 commits June 26, 2025 16:53

CI: add Trusted Publishing job to wheels workflow (pandas-dev#61669)

a419d40

Remove obsolete standalone publish workflow

abda427

CI: fix wheel-workflow YAML, drop win-arm64

6e9027c

CI: set project name to evgmosme-pandas for TestPyPI

e3e583d

CI: temporarily shrink workflow matrix and add

9f9013e

CI: skip pyodide wheel on TestPyPI upload

4e4cc1e

Restore original wheels.yml from upstream/main

d311ce4

CI: skip win_arm64 for tests, add final publish block

6360900

CI: final Trusted-Publishing workflow (PyPI ready)

c15c176

Docs & CI: add publish-comment header; final PyPI configuration

0332486

DOC: add Build/CI trusted-publishing entry to v3.0.0 whatsnew (pandas…

c675826

…-dev#61669)

CI: restore project name 'pandas' in pyproject.toml

3cac6a5

CI: normalize line endings in wheels.yml (pre-commit)

45291a7

evgmosme requested a review from mroeschke as a code owner June 27, 2025 08:03

DOC: replace <PR_NUMBER> with 61718 in whatsnew

da41c89

evgmosme closed this Jun 27, 2025

evgmosme reopened this Jun 27, 2025

evgmosme mentioned this pull request Jun 27, 2025

BUG: CI docstring-validation fails with AttributeError in numpydoc validate.py #61720

Closed

3 tasks