CI: remove dead upload_pypi job from reusable workflow, rename to lib-build.yml#825
Merged
dkropachev merged 2 commits intoscylladb:masterfrom Apr 18, 2026
Merged
Conversation
…-build.yml Closes scylladb#824. Follow-up to scylladb#820. The upload_pypi job in lib-build-and-push.yml was never reachable: none of the four caller workflows pass upload: true. build-push.yml and publish-manually.yml already publish from their own separate jobs (necessary due to how PyPI Trusted Publishing embeds the caller workflow path in the OIDC token). Because the reusable workflow declared 'permissions: id-token: write' for upload_pypi, GitHub's static permission validation forced build-test.yml (a pull_request workflow, which defaults to id-token: none) to also declare id-token: write — granting unnecessary privileges to a job that only builds wheels. Changes: - Rename lib-build-and-push.yml -> lib-build.yml (it only builds now) - Remove upload input and upload_pypi job from the reusable workflow - Remove 'permissions: id-token: write' and 'with: upload: false' from build-test.yml (no longer needed) - Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml) to reference the new workflow path and drop upload: false from with: blocks - Replace TODO comments in build-push.yml and publish-manually.yml with an explanatory comment: the separate publish job is now intentional design, not a temporary workaround
… steps GITHUB_WORKFLOW_REF was set as a shell env var prefix on the cibuildwheel invocations as an attempted workaround for pypa/gh-action-pypi-publish#166 (reusable workflows not supported by PyPI Trusted Publishing). The workaround does not work for two reasons: 1. GITHUB_WORKFLOW_REF is a GitHub runner-provided variable used to populate the OIDC token. Setting it in a child process's environment has no effect on the token GitHub's infrastructure mints. 2. The OIDC token is minted when pypa/gh-action-pypi-publish runs (in the publish job), not when cibuildwheel runs (in build-wheels). The variable was set in the wrong job entirely. The actual working workaround is running pypa/gh-action-pypi-publish directly in the caller workflow (build-push.yml, publish-manually.yml), which is already done. This variable override is dead code with no effect.
nikagra
requested review from
Copilot,
dkropachev and
sylwiaszunejko
and removed request for
Copilot
There was a problem hiding this comment.
Pull request overview
This PR simplifies the CI packaging setup by removing an unreachable PyPI upload job from the reusable workflow, renaming it to reflect its build-only role, and restoring least-privilege permissions for PR builds.
Changes:
- Renamed the reusable workflow to
.github/workflows/lib-build.ymland removed the deadupload_pypijob +uploadinput. - Updated all caller workflows to reference the new reusable workflow path and removed now-invalid
with: upload: false. - Removed an ineffective
GITHUB_WORKFLOW_REFoverride from wheel build steps and dropped unnecessaryid-token: writepermissions from the PR build workflow.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/lib-build.yml | Removes upload logic/permissions from the reusable workflow and keeps only build artifacts (wheels + sdist). |
| .github/workflows/build-test.yml | Stops requesting id-token: write and switches to the renamed reusable build workflow. |
| .github/workflows/build-push.yml | Updates caller to use lib-build.yml and documents why publishing remains caller-side. |
| .github/workflows/publish-manually.yml | Updates caller to use lib-build.yml and documents caller-side publishing requirement for OIDC. |
| .github/workflows/build-pre-release.yml | Updates caller to reference the renamed reusable build workflow. |
Comments suppressed due to low confidence (1)
.github/workflows/lib-build.yml:1
- The reusable workflow name says "Build wheels", but this workflow also builds and uploads the source distribution artifact (job
build-sdist). Consider renaming the workflow to reflect both outputs (e.g., wheels + sdist) to avoid confusion when reading GitHub Actions runs or searching logs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dkropachev
approved these changes
Apr 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #824. Follow-up to #820, addressing @Lorak-mmk's review concern.
The
upload_pypijob inlib-build-and-push.ymlwas never reachable: none of the four caller workflows passupload: true.build-push.ymlandpublish-manually.ymlalready publish from their own separate jobs — this is required by how PyPI Trusted Publishing works: the OIDC token embeds the caller workflow path, so thepypa/gh-action-pypi-publishaction must run in the caller, not inside a reusable workflow (see pypa/gh-action-pypi-publish#166).Because the reusable workflow declared
permissions: id-token: writeforupload_pypi, GitHub's static permission validation (which runs before evaluating anyif:conditions) forcedbuild-test.yml— apull_requestworkflow, whereid-tokendefaults tonone— to also declareid-token: write. This granted unnecessary privileges to a job that only builds wheels.Changes
Commit 1: remove dead upload_pypi job, rename to lib-build.yml
lib-build-and-push.yml→lib-build.yml(it only builds now)uploadinput andupload_pypijob from the reusable workflowpermissions: id-token: writeandwith: upload: falsefrombuild-test.yml— no longer needed, principle of least privilege restoredbuild-push.yml,publish-manually.yml,build-pre-release.yml) to reference the new workflow path and drop the now-nonexistentupload: falsefromwith:blocksbuild-push.ymlandpublish-manually.yml: the separate publish job is now intentional design, not a temporary workaround pending an upstream fixCommit 2: remove ineffective
GITHUB_WORKFLOW_REFoverrideGITHUB_WORKFLOW_REFwas set as a shell env var prefix on thecibuildwheelinvocations, introduced in #439 as a workaround for the same issue #166. It does not work for two reasons:GITHUB_WORKFLOW_REFis set by GitHub's runner infrastructure to populate the OIDC token — overriding it in a child process's environment has no effect on the token GitHub's servers mint.pypa/gh-action-pypi-publishruns (in thepublishjob), not whencibuildwheelruns (inbuild-wheels). The variable was being set in the wrong job entirely.The actual working workaround is already in place:
pypa/gh-action-pypi-publishruns directly in the caller workflows (build-push.yml,publish-manually.yml). This variable override was dead code with no effect.Result
build-test.ymlpermissionsid-token: write(unnecessary)lib-build-and-push.ymlupload_pypijobGITHUB_WORKFLOW_REFenv var