Skip to content

[🚀 Feature]: Publish Python packages to PyPI as a Trusted Publisher with digital attestation #16082

New issue
New issue
Open
Feature
Open
[🚀 Feature]: Publish Python packages to PyPI as a Trusted Publisher with digital attestation#16082
Feature
Labels
B-buildIncludes scripting, bazel and CI integrationsC-pyPython BindingsI-enhancementSomething could be better
@cgoldberg

Description

@cgoldberg
cgoldberg
opened on Jul 23, 2025

Description

We are not currently uploading Python packages to PyPI as a "Trusted Publisher" or providing any digital attestion.

There are several reason we should do so:

  • Security: PyPI's normal API tokens are long-lived, meaning that if our release token is compromised, an attacker could publish releases until it is revoked. Trusted Publishing avoids this problem because the tokens minted are short-lived and expire automatically.
  • Verification: On our PyPI page, "Project links" and "GitHub Statistics" will show up under the "Verified details" section.
  • Integrity: We can provide digital attestation that gives users a higher degree of confidence in the integrity of our published packages by asserting that the package's files are published via a short-lived credential corresponding to a specific machine identity.

Current publishing process:

We currently publish 2 Python packages - wheel (binary) and sdist (source). These are built by Bazel and uploaded to PyPI nightly (test.pypi.org) and with each official release (pypi.org). Uploads are triggered via GitHub Actions, which invokes the selenium-release/selenium-release-nightly task defined in ./py/BUILD.bazel. This in turn calls the ./py/release-selenium.py script which uses twine to upload the packages.

Proposed changes:

  • Remove the selenium-release/selenium-release-nightly Bazel tasks, ./py/release-selenium.py script, and package dependencies for twine.
  • Add a Trusted Publisher to our existing project configuration on PyPI
  • Add a GitHub Environment and adjust workflow steps to publish packages with pypa/gh-action-pypi-publish (this will publish packages and automatically generate and upload PEP 740-compatible attestations)

See:

Have you considered any alternatives or workarounds?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    B-buildIncludes scripting, bazel and CI integrationsC-pyPython BindingsI-enhancementSomething could be better

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions