Trusted publishing allows uploading package from GitHub Action to PyPI without manually setting a secret token. Instead, you specify on PyPI a GitHub Actions workflow that is allowed to publish the package.
This repository contains a full, self-contained example for trusted publishing
with uv. The release workflow can be found in
.github/workflows/release.yml. On PyPI, the
matching configuration is set under
https://pypi.org/manage/project/<package-name>/settings/publishing/:
You can find the published package at https://pypi.org/project/trusted-publishing-examples/.
.github/workflows/ci.yml is a minimal test and lint workflow for a Python package, while .github/workflows/errors.yml is for testing uv itself only.
- uv's side: https://docs.astral.sh/uv/guides/publish/
- PyPI's side: https://docs.pypi.org/trusted-publishers/