Question 1

How do I set up trusted publishing for PyPI with this action?

Accepted Answer

Configure a job with 'id-token: write' permissions and an environment linked to PyPI, then invoke the action without username/password. First, ensure your PyPI project has a trusted publisher configured, as per the trusted publishing section.

Question 2

pypa/gh-action-pypi-publish or twine directly in CI?

Accepted Answer

This action wraps twine with security enhancements like OIDC and attestations, making it better for automated, secure publishing. Use twine alone if you need manual control or are in unsupported environments like containerized jobs.

Question 3

How to turn off digital attestations?

Accepted Answer

Set the 'attestations' input to false in the action configuration. This disables Sigstore-signed attestation generation, useful for custom repositories or if provenance tracking isn't needed.

Question 4

Why does my publish job fail on duplicate files?

Accepted Answer

By default, the action fails on duplicates to prevent incomplete releases. Enable 'skip-existing: true' to tolerate them, but this is discouraged for production PyPI uploads to avoid race conditions.

Question 5

Can I publish to TestPyPI with this action?

Accepted Answer

Yes, specify 'repository-url: https://test.pypi.org/legacy/' in the action inputs. Trusted publishing works with TestPyPI if configured, and you should update the environment name accordingly.

Question 6

How to publish only when a new tag is pushed?

Accepted Answer

Add a condition to the job: 'if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')'. This filters the job to run only on tagged commits, as shown in the usage examples.

Publish a Python distribution package to PyPI

What is Publish a Python distribution package to PyPI?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions