Fix PyPI Trusted Publisher configuration by adding environment field

[Copilot]

Problem

The GitHub Actions workflow for publishing the Python package to PyPI was failing with the error:

Publisher's matching claims were not found
Environment value is missing

This prevented automatic package publishing to PyPI via the Trusted Publisher authentication system.

Solution

Added the missing environment: pypi field to the deploy job in .github/workflows/python-publish.yml.

What Changed

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: pypi  # ← Added this line
    permissions:
      id-token: write
      contents: read

Why This Fix Works

PyPI Trusted Publishers use OpenID Connect (OIDC) tokens from GitHub Actions to authenticate package uploads without requiring manual API tokens. The system verifies the publisher's identity by matching several claims between the GitHub Actions workflow and the PyPI project configuration:

1. Repository (owner/repo)
2. Workflow filename
3. Environment name ← This was missing
4. Job workflow reference

Without the environment field, the OIDC token from GitHub Actions was missing a critical claim, causing PyPI to reject the authentication attempt.

Next Steps

After merging this PR, the repository owner should:

1. Configure PyPI Trusted Publisher at https://pypi.org/manage/project/cfbd/settings/publishing/ with:

   • Repository: zachringnight/cfbd-python
   • Workflow filename: python-publish.yml
   • Environment name: pypi

2. Create GitHub Environment (if not already exists):

   • Go to Settings → Environments → New environment
   • Enter name: pypi
   • Optionally add protection rules for additional security

3. Test the workflow by pushing a commit to the main branch

Benefits

• ✅ Enables secure, token-less publishing to PyPI
• ✅ Eliminates the need to manage PyPI API tokens as GitHub secrets
• ✅ Provides better security through OIDC authentication
• ✅ Aligns with PyPI's recommended publishing method

References

• PyPI Trusted Publishers Documentation
• GitHub Actions OIDC Security

Original prompt

The GitHub Actions job to publish the Python package to PyPI is failing due to a Trusted Publisher configuration error. The error indicates that the publisher's matching claims were not found, and the environment value is missing. To fix this issue:

1. Update the workflow file to ensure that the PyPI Trusted Publisher configuration is correctly set up.
2. Add the missing environment variable to the workflow file.
3. Verify that the job_workflow_ref matches the expected configuration on PyPI.

Here is the current critical section of the workflow file:

permissions:
  id-token: write
  contents: read

steps:
- name: Publish package distributions to PyPI
  uses: pypa/gh-action-pypi-publish@release/v1

The solution will:

• Ensure that the PyPI Trusted Publisher setup is correctly configured.
• Add the required environment variable to the workflow.
• Update or verify the PyPI token in the repository secrets.

The updated workflow file will include the necessary environment and claims to successfully authenticate with PyPI and publish the package.

This pull request was created as a result of the following prompt from Copilot chat.

The GitHub Actions job to publish the Python package to PyPI is failing due to a Trusted Publisher configuration error. The error indicates that the publisher's matching claims were not found, and the environment value is missing. To fix this issue:

1. Update the workflow file to ensure that the PyPI Trusted Publisher configuration is correctly set up.
2. Add the missing environment variable to the workflow file.
3. Verify that the job_workflow_ref matches the expected configuration on PyPI.

Here is the current critical section of the workflow file:

permissions:
  id-token: write
  contents: read

steps:
- name: Publish package distributions to PyPI
  uses: pypa/gh-action-pypi-publish@release/v1

The solution will:

• Ensure that the PyPI Trusted Publisher setup is correctly configured.
• Add the required environment variable to the workflow.
• Update or verify the PyPI token in the repository secrets.

The updated workflow file will include the necessary environment and claims to successfully authenticate with PyPI and publish the package.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.