Support Gitlab CI/CD as a trusted publisher

[jamesharr]

Summary

This Issue is a feature request to add Gitlab-CI/CD support as a trusted publisher when working with PyPI repositories.

PyPI has Support for Gitlab-CI/CD as a trusted publisher (2) and UV includes support for Github-Actions as a trusted publisher, so I suspect adding Gitlab-CI/CD support would be small incremental work.

It's possible that UV might already support this and the only thing required is additional documentation to get the environment variables set correctly. I did not have any luck in making it work on my own after reading UV's documentation. It's not entirely clear to me as to what underlying tools UV makes use of to do python publishing (I heard Twine mentioned in the Discord community), so my expectation as a user is that the UV docs would include an example+instructions OR link to the documentation of the underlying tool that does the publishing.

During my attempt setting it up, I wound up finding a [blog post (2)] 1 detailing some steps to make it work, however there is some work that needs to be done outside UV to exchange an OAuth2 token for a PyPI JWT token that can be passed in via the CLI.

Example from the blog post (1):

.release-base:
  stage: 'deploy'
  id_tokens:
    PYPI_ID_TOKEN:
      aud: '$PYPI_OIDC_AUD'
  script:
    - >-
      resp="$(curl -X POST "${PYPI_OIDC_URL}" -d "{\"token\":\"${PYPI_ID_TOKEN}\"}")"
    - >-
      publish_token="$(python -c "import json; print(json.load('${resp}')['token'])")"
    - 'uv publish --token "$publish_token"'

release:
  extends: '.release-base'
  rules:
    - if: '$CI_COMMIT_TAG'
  environment:
    name: 'release'
    url: 'https://pypi.org/project/typed-settings/'
  variables:
    PYPI_OIDC_AUD: 'pypi'
    PYPI_OIDC_URL: 'https://pypi.org/_/oidc/mint-token'
    UV_PUBLISH_URL: 'https://upload.pypi.org/legacy/'

References:

1. Publishing to PyPI with a Trusted Publisher from GitLab CI/CD - Stefan Scherfke blog post
2. Publishing with a Trusted Publisher - PyPI Docs
3. Publishing your package - UV Documentation
4. Using uv in GitLab Ci/CD - UV Documentation

Example

No response

[markdoerr]

@jamesharr, I have a similar issue.

On gitlab (https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd ) I found the following instructions for
twine using the Trusted Publisher ID:

build-job:
  stage: build
  image: python:3-bookworm
  script:
    - python -m pip install -U build
    - cd python_pkg && python -m build
  artifacts:
    paths:
      - "python_pkg/dist/"

publish-job:
  stage: deploy
  image: python:3-bookworm
  dependencies:
    - build-job
  id_tokens:
    PYPI_ID_TOKEN:
      # Use "testpypi" if uploading to TestPyPI
      aud: pypi
  script:
    # Install dependencies
    - python -m pip install -U twine

    # Upload to PyPI, add "--repository testpypi" if uploading to TestPyPI
    # With no token specified, twine will use Trusted Publishing
    - twine upload python_pkg/dist/*

Which I managed to run.

When I try the same with uv, it fails:

release-test:
  stage: publish_pypi
  image: ghcr.io/astral-sh/uv:$UV_VERSION-python$PYTHON_VERSION-$BASE_LAYER
  dependencies:
    - test-build-package
  id_tokens:
    TESTPYPI_ID_TOKEN:
      # Use "testpypi" if uploading to TestPyPI, else use "pypi"
      aud: testpypi
  script:
    # Upload to PyPI, add "--repository testpypi" if uploading to TestPyPI
    - "uv publish --token $TESTPYPI_ID_TOKEN --index testpypi"
  only:
    refs:
      - develop
      - tags

I get this weird error message from uv when executing the gitlab CI/CD pipeline:

uv publish --index testpypi --token "$TESTPYPI_ID_TOKEN"
error: the argument '--index <INDEX>' cannot be used with '--publish-url <PUBLISH_URL>'
Usage: uv publish --index <INDEX> --token <TOKEN> --username <USERNAME> --password <PASSWORD> [FILES]...

as you can see above, I do not use the --publish-url argument. (I configured the testpypi index in pyproject.toml ).

Here is the tools/build system specification part of my pyproject.toml (for reference):

[[tool.uv.index]]
name = "testpypi"
url = "https://test.pypi.org/simple/"
publish-url = "https://test.pypi.org/legacy/"
explicit = true

[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"

[tool.hatch.version]
path = "src/labscheduler/__init__.py"

[jamesharr]

@markdoerr , can you edit your reply to include the relevant sections of pyproject.toml? Mostly for reference.

I should also probably provide an update... Below are snippets of what I've settled on for now, but it's not what I'd call an elegant solution. I'll be glad to rip it all out when UV has native support.

Full context in this repo:
https://gitlab.com/internet2-collaboration/python-nso-client/

.gitlab-ci.yaml:

# Trusted publisher used from:
# https://stefan.sofa-rockers.org/2024/11/14/gitlab-trusted-publisher/
.release-base:
# Abstract base job for "release" jobs.
# Extending jobs must define the following variables:
# - PYPI_OIDC_AUD: Audience for the ID token that GitLab issues to the pipeline job
# - PYPI_OIDC_URL: PyPI endpoint for retrieving a publish token with GitLab’s ID token
# - UV_PUBLISH_URL: PyPI endpoint for the actual upload
  image: ghcr.io/astral-sh/uv:alpine
  stage: 'deploy'
  dependencies:
    - lint-ruff
    - test-pytest
    - build
  id_tokens:
    PYPI_ID_TOKEN:
      aud: '$PYPI_OIDC_AUD'
  script:
    - publish_token=$(uv run --no-project --with httpx util/pypi-token.py)
    - 'uv publish --token "$publish_token"'
    - 'version="$(uv run --with hatch-vcs hatchling version)"'
    - 'echo -e "\033[34;1mPackage on PyPI:\033[0m ${CI_ENVIRONMENT_URL}${version}/"'

release-test:
  extends: '.release-base'
  rules:
    - !reference [.rules, release]
    - !reference [.rules, release-test]
  environment:
    name: 'release-test'
    url: 'https://test.pypi.org/project/python-nso-client/'
  variables:
    PYPI_OIDC_AUD: 'testpypi'
    PYPI_OIDC_URL: 'https://test.pypi.org/_/oidc/mint-token'
    UV_PUBLISH_URL: 'https://test.pypi.org/legacy/'

release:
  extends: '.release-base'
  rules:
    - !reference [.rules, release]
  environment:
    name: 'release'
    url: 'https://pypi.org/project/python-nso-client/'
  variables:
    PYPI_OIDC_AUD: 'pypi'
    PYPI_OIDC_URL: 'https://pypi.org/_/oidc/mint-token'
    UV_PUBLISH_URL: 'https://upload.pypi.org/legacy/'

util/pypi-token.py:

# Python script to convert a GitLab-CI OIDC TOken into a PYPI Token
#   PYPI_OIDC_URL - token generated by GitLab with an 'aud' of 'pypi' or 'testpypi'
#   PYPI_ID_TOKEN - PyPI mint-token URL: https://(test.)pypi.org/_/oidc/mint-token
import os
import httpx
resp = httpx.post(
     os.getenv("PYPI_OIDC_URL"),
     json={
         "token": os.getenv("PYPI_ID_TOKEN"),
     },
)
resp.raise_for_status()
print(resp.json()["token"])

[konstin]

Currently, uv only supports GitHub for trusted publishing, but we can add GitLab.

[markdoerr]

Dear @konstin ,
thanks for clarification - that is not clear in the uv documentation (and should definitely stated - I tried several hours to get it working ).
@jamesharr, a large community of gitlab users and myself would be very happy, if uv supports trusted publishers :)

[markdoerr]

@jamesharr,
I added the related part of my pyproject.toml.

Based on @konstin 's comment, it is now comprehensible, why we failed...

@konstin: shall we open a new issue for the gitlab support ?

[konstin]

We can use this issue for adding GitLab trusted publishing support.

[markdoerr]

@konstin,
great, looking forward :)

(hope, it will not take too long)

[jamesharr]

Currently, uv only supports GitHub for trusted publishing, but we can add GitLab.

@konstin , let me know if this issue needs any clarification, if the team needs testers, or anything else -- I'll make myself available. My strength just isn't rust or you'd have a patch now ;)

[woodruffw]

#15583 will add this -- we're able to partially test it with mocks, but it'd be great to have some adventuresome GitLab users give it a test spin as well 🙂

[jamesharr]

I probably won't be able to test it this week, but I'll give it a shot.

I'm not very well versed on rust dev work (and though I do have rust installed). What's the easiest/quickest way to get a build from a PR?

[woodruffw]

I'm not very well versed on rust dev work (and though I do have rust installed). What's the easiest/quickest way to get a build from a PR?

This is on main now, so the easiest thing to do would probably be to run cargo build --release from the repository root and use the resulting ./target/release/uv build 🙂