From a129625f67c9ef5e02b49093fbec276fef0e5fda Mon Sep 17 00:00:00 2001 From: Mikita Hradovich Date: Fri, 17 Apr 2026 11:03:16 +0200 Subject: [PATCH 1/2] CI: remove dead upload_pypi job from reusable workflow, rename to lib-build.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #824. Follow-up to #820. The upload_pypi job in lib-build-and-push.yml was never reachable: none of the four caller workflows pass upload: true. build-push.yml and publish-manually.yml already publish from their own separate jobs (necessary due to how PyPI Trusted Publishing embeds the caller workflow path in the OIDC token). Because the reusable workflow declared 'permissions: id-token: write' for upload_pypi, GitHub's static permission validation forced build-test.yml (a pull_request workflow, which defaults to id-token: none) to also declare id-token: write — granting unnecessary privileges to a job that only builds wheels. Changes: - Rename lib-build-and-push.yml -> lib-build.yml (it only builds now) - Remove upload input and upload_pypi job from the reusable workflow - Remove 'permissions: id-token: write' and 'with: upload: false' from build-test.yml (no longer needed) - Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml) to reference the new workflow path and drop upload: false from with: blocks - Replace TODO comments in build-push.yml and publish-manually.yml with an explanatory comment: the separate publish job is now intentional design, not a temporary workaround --- .github/workflows/build-pre-release.yml | 2 +- .github/workflows/build-push.yml | 9 +++--- .github/workflows/build-test.yml | 6 +--- .../{lib-build-and-push.yml => lib-build.yml} | 29 ++----------------- .github/workflows/publish-manually.yml | 8 +++-- 5 files changed, 15 insertions(+), 39 deletions(-) rename .github/workflows/{lib-build-and-push.yml => lib-build.yml} (88%) diff --git a/.github/workflows/build-pre-release.yml b/.github/workflows/build-pre-release.yml index e1326b6aa5..f6473c1cc3 100644 --- a/.github/workflows/build-pre-release.yml +++ b/.github/workflows/build-pre-release.yml @@ -15,7 +15,7 @@ on: jobs: build-and-publish: - uses: ./.github/workflows/lib-build-and-push.yml + uses: ./.github/workflows/lib-build.yml with: python-version: ${{ inputs.python-version }} target: ${{ inputs.target }} diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 7414daec3a..3a3d93171a 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -10,11 +10,12 @@ on: jobs: build-and-publish: name: "Build wheels" - uses: ./.github/workflows/lib-build-and-push.yml - with: - upload: false + uses: ./.github/workflows/lib-build.yml - # TODO: Remove when https://github.com/pypa/gh-action-pypi-publish/issues/166 is fixed and update build-and-publish.with.upload to ${{ endsWith(github.event.ref, 'scylla') }} + # Publishing is a separate job (not inside the reusable workflow) because PyPI Trusted Publishing + # requires the *caller* workflow path in the OIDC token. A reusable workflow would embed its own + # path instead, causing an `invalid-publisher` error on the PyPI side. + # See: https://github.com/pypa/gh-action-pypi-publish/issues/166 publish: name: "Publish wheels to PyPi" if: ${{ endsWith(github.event.ref, 'scylla') }} diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index b0d261d9d6..ebfe383047 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -18,8 +18,4 @@ jobs: test-wheels-build: name: "Test wheels building" if: "!contains(github.event.pull_request.labels.*.name, 'disable-test-build')" - uses: ./.github/workflows/lib-build-and-push.yml - permissions: - id-token: write - with: - upload: false \ No newline at end of file + uses: ./.github/workflows/lib-build.yml \ No newline at end of file diff --git a/.github/workflows/lib-build-and-push.yml b/.github/workflows/lib-build.yml similarity index 88% rename from .github/workflows/lib-build-and-push.yml rename to .github/workflows/lib-build.yml index 0b1ce47647..f8d0d7a4cc 100644 --- a/.github/workflows/lib-build-and-push.yml +++ b/.github/workflows/lib-build.yml @@ -1,14 +1,8 @@ -name: Build and upload to PyPi +name: Build wheels on: workflow_call: inputs: - upload: - description: 'Upload to PyPI' - type: boolean - required: false - default: false - python-version: description: 'Python version to run on' type: string @@ -146,12 +140,12 @@ jobs: if: matrix.target != 'linux-aarch64' shell: bash run: | - GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build-and-push.yml@refs/heads/master" cibuildwheel --output-dir wheelhouse + GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" cibuildwheel --output-dir wheelhouse - name: Build wheels for linux aarch64 if: matrix.target == 'linux-aarch64' run: | - GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build-and-push.yml@refs/heads/master" CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse + GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse - uses: actions/upload-artifact@v7 with: @@ -176,20 +170,3 @@ jobs: with: name: source-dist path: dist/*.tar.gz - - upload_pypi: - if: inputs.upload - needs: [build-wheels, build-sdist] - runs-on: ubuntu-24.04 - permissions: - id-token: write - - steps: - - uses: actions/download-artifact@v8 - with: - path: dist - merge-multiple: true - - - uses: pypa/gh-action-pypi-publish@release/v1 - with: - skip-existing: true diff --git a/.github/workflows/publish-manually.yml b/.github/workflows/publish-manually.yml index 83ed290a2b..2f15c6ecda 100644 --- a/.github/workflows/publish-manually.yml +++ b/.github/workflows/publish-manually.yml @@ -39,15 +39,17 @@ on: jobs: build-and-publish: name: "Build wheels" - uses: ./.github/workflows/lib-build-and-push.yml + uses: ./.github/workflows/lib-build.yml with: - upload: false python-version: ${{ inputs.python-version }} ignore_tests: ${{ inputs.ignore_tests }} target_tag: ${{ inputs.target_tag }} target: ${{ inputs.target }} - # TODO: Remove when https://github.com/pypa/gh-action-pypi-publish/issues/166 is fixed and update build-and-publish.with.upload to ${{ inputs.upload }} + # Publishing is a separate job (not inside the reusable workflow) because PyPI Trusted Publishing + # requires the *caller* workflow path in the OIDC token. A reusable workflow would embed its own + # path instead, causing an `invalid-publisher` error on the PyPI side. + # See: https://github.com/pypa/gh-action-pypi-publish/issues/166 publish: name: "Publish wheels to PyPi" needs: build-and-publish From f4078507016565fce046968fa80c4a02dd7d7437 Mon Sep 17 00:00:00 2001 From: Mikita Hradovich Date: Fri, 17 Apr 2026 11:27:01 +0200 Subject: [PATCH 2/2] CI: remove ineffective GITHUB_WORKFLOW_REF override from cibuildwheel steps GITHUB_WORKFLOW_REF was set as a shell env var prefix on the cibuildwheel invocations as an attempted workaround for pypa/gh-action-pypi-publish#166 (reusable workflows not supported by PyPI Trusted Publishing). The workaround does not work for two reasons: 1. GITHUB_WORKFLOW_REF is a GitHub runner-provided variable used to populate the OIDC token. Setting it in a child process's environment has no effect on the token GitHub's infrastructure mints. 2. The OIDC token is minted when pypa/gh-action-pypi-publish runs (in the publish job), not when cibuildwheel runs (in build-wheels). The variable was set in the wrong job entirely. The actual working workaround is running pypa/gh-action-pypi-publish directly in the caller workflow (build-push.yml, publish-manually.yml), which is already done. This variable override is dead code with no effect. --- .github/workflows/lib-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lib-build.yml b/.github/workflows/lib-build.yml index f8d0d7a4cc..bc094d1b11 100644 --- a/.github/workflows/lib-build.yml +++ b/.github/workflows/lib-build.yml @@ -140,12 +140,12 @@ jobs: if: matrix.target != 'linux-aarch64' shell: bash run: | - GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" cibuildwheel --output-dir wheelhouse + cibuildwheel --output-dir wheelhouse - name: Build wheels for linux aarch64 if: matrix.target == 'linux-aarch64' run: | - GITHUB_WORKFLOW_REF="scylladb/python-driver/.github/workflows/lib-build.yml@refs/heads/master" CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse + CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse - uses: actions/upload-artifact@v7 with: