pypa · facutuesca · May 19, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -28,7 +28,6 @@ COPY LICENSE.md .
 COPY twine-upload.sh .
 COPY print-hash.py .
 COPY print-pkg-names.py .
-COPY oidc-exchange.py .
 COPY attestations.py .
 
 RUN chmod +x twine-upload.sh

diff --git a/oidc-exchange.py b/oidc-exchange.py
diff --git a/requirements/runtime.in b/requirements/runtime.in
@@ -1,17 +1,9 @@
 -c runtime-constraints.in  # limits known broken versions
 
-# NOTE: v6.1 is needed to support metadata v2.4 including PEP 639
+# NOTE: v6.1 is needed to support metadata v2.4 including PEP 639,
+# and also uploading via Trusted Publishing
 twine >= 6.1
 
-# NOTE: Used to detect an ambient OIDC credential for OIDC publishing,
-# NOTE: as well as PEP 740 attestations.
-id ~= 1.0
-
-# NOTE: This is pulled in transitively through `twine`, but we also declare
-# NOTE: it explicitly here because `oidc-exchange.py` uses it.
-# Ref: https://github.com/di/id
-requests
-
 # NOTE: Used to generate attestations.
 pypi-attestations ~= 0.0.15
 sigstore ~= 3.5.1

diff --git a/requirements/runtime.txt b/requirements/runtime.txt
@@ -36,7 +36,6 @@ hyperframe==6.1.0
     # via h2
 id==1.5.0
     # via
-    #   -r runtime.in
     #   sigstore
     #   twine
 idna==3.10
@@ -104,7 +103,6 @@ readme-renderer==44.0
     # via twine
 requests==2.32.3
     # via
-    #   -r runtime.in
     #   id
     #   pypi-attestations
     #   requests-toolbelt

diff --git a/twine-upload.sh b/twine-upload.sh
@@ -118,9 +118,10 @@ fi
 
 if "${TRUSTED_PUBLISHING}" ; then
     # No password supplied by the user implies that we're in the OIDC flow;
-    # retrieve the OIDC credential and exchange it for a PyPI API token.
+    # call twine with an empty password, since twine will detect it's running
+    # inside CI/CD, retrieve the OIDC token and exchange it for a PyPI API token.
     echo "::debug::Authenticating to ${INPUT_REPOSITORY_URL} via Trusted Publishing"
-    INPUT_PASSWORD="$(python /app/oidc-exchange.py)"
+    INPUT_PASSWORD=""
 elif [[ "${INPUT_USER}" == '__token__' ]]; then
     echo \
         '::debug::Using a user-provided API token for authentication' \
@@ -145,7 +146,8 @@ fi
 
 if [[
     "$INPUT_USER" == "__token__" &&
-    ! "$INPUT_PASSWORD" =~ ^pypi-
+    ! "$INPUT_PASSWORD" =~ ^pypi- &&
+    "${TRUSTED_PUBLISHING}" == false
   ]]
 then
     if [[ -z "$INPUT_PASSWORD" ]]; then
@@ -208,7 +210,14 @@ if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; the
     python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
 fi
 
-TWINE_USERNAME="$INPUT_USER" \
-TWINE_PASSWORD="$INPUT_PASSWORD" \
-TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
-  exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*
+# Using Trusted Publishing with twine requires not setting the password env var.
+if "${TRUSTED_PUBLISHING}" ; then
+  TWINE_USERNAME="$INPUT_USER" \
+  TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
+    exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*
+else
+  TWINE_USERNAME="$INPUT_USER" \
+  TWINE_PASSWORD="$INPUT_PASSWORD" \
+  TWINE_REPOSITORY_URL="$INPUT_REPOSITORY_URL" \
+    exec twine upload ${TWINE_EXTRA_ARGS} ${INPUT_PACKAGES_DIR%%/}/*
+fi