Publish to PyPI with trusted publishing

[EpicWink]

Trusted publishing (with attestations) means I have high confidence that what I download from PyPI is the same artefact which was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing.

This is instead of manually uploading via a local invocation of twine.

See the Python packaging documentation, the PyPI documentation, and the official pypi-publish GitHub action documentation on trusted publishing.

Implementation (using GitHub actions) (click to expand)

• Configure a GitHub CI workflow for publishing the package to PyPI, with package build and publish jobs
• Configure (or use an existing) GitHub environment, and register with PyPI
• Add the environment definition to the publish job
• Add id-token: write and contents: read permissions to the same publish job

[mricken]

At this time, publishing to PyPi does not happen from a GitHub action, but directly from Oracle-owned build infrastructure. Therefore, using a GitHub "trusted publisher" is not appropriate.

We will explore if there is a way to use trusted publishing directly from Oracle infrastructure.

[EpicWink]

I would expect Oracle DevOps (or it's backing authentication infrastructure) could become a trusted publisher: see PyPI's docs