Skip to content

build: switch to trusted publishing#10976

Merged
julian-risch merged 1 commit intomainfrom
trusted-publishing
Mar 30, 2026
Merged

build: switch to trusted publishing#10976
julian-risch merged 1 commit intomainfrom
trusted-publishing

Conversation

@julian-risch
Copy link
Copy Markdown
Member

@julian-risch julian-risch commented Mar 30, 2026

Related Issues

Part of https://github.com/deepset-ai/haystack-private/issues/299

Proposed Changes:

This PR stops the pypi release workflows from using a secret token and instead uses trusted publishing.
To make this work, I created an environment called pypi. Specifying a GitHub environment is optional, but strongly encouraged.
Further, I added permissions: id-token: write. This permission is mandatory for Trusted Publishing. ( see https://docs.pypi.org/trusted-publishers/using-a-publisher/)
I added the action pypa/gh-action-pypi-publish for publishing release and used the commit hash of the latest release. https://github.com/pypa/gh-action-pypi-publish/pkgs/container/gh-action-pypi-publish/505464737?tag=release-v1.13

In the haystack repository, only nightly_testpypi_release.yml and pypi_release.yml used the token. Once this PR is done and a manual pre-release worked, I'll apply open a PR with similar changes in haystack-core-integrations and haystack-experimental.

In pypi, I added two publishers to trusted publishing. One for each workflow.

How did you test it?

Haven't tested it. My plan is to trigger a pre-release manually after the PR got merged.

Notes for the reviewer

My understanding is that with this PR the PyPI Action publishes all the build artifacts in the dist/ folder which is populated by the previous hatch build command. If I am not mistaken GitHub's OIDC identity provider doesn't work with our previous hatch publish command. That's why I replaced it.

Checklist

  • I have read the contributors guidelines and the code of conduct.
  • I have updated the related issue with new insights and changes.
  • I have added unit tests and updated the docstrings.
  • I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test: and added ! in case the PR includes breaking changes.
  • I have documented my code.
  • I have added a release note file, following the contributors guidelines.
  • I have run pre-commit hooks and fixed any issue.

@julian-risch julian-risch requested a review from a team as a code owner March 30, 2026 09:27
@julian-risch julian-risch requested review from davidsbatista and removed request for a team March 30, 2026 09:27
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
haystack-docs Ignored Ignored Mar 30, 2026 9:27am

Request Review

@julian-risch julian-risch requested review from anakin87 and removed request for davidsbatista March 30, 2026 09:27
anakin87
anakin87 approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@anakin87 anakin87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

Let's try!

@julian-risch julian-risch merged commit 873523c into main Mar 30, 2026
20 checks passed
@julian-risch julian-risch deleted the trusted-publishing branch March 30, 2026 09:35
@julian-risch julian-risch mentioned this pull request Mar 30, 2026
Merged
SyedShahmeerAli12 pushed a commit to SyedShahmeerAli12/haystack that referenced this pull request Mar 30, 2026
@julian-risch @SyedShahmeerAli12
build: switch to trusted publishing (deepset-ai#10976)
36095ef
@julian-risch julian-risch mentioned this pull request Mar 30, 2026
Merged
anakin87 added a commit that referenced this pull request Mar 30, 2026
@SyedShahmeerAli12 @anakin87
@pandego @davidsbatista @HaystackBot @satishkc7 @julian-risch @claude
docs: add TavilyWebSearch component page and external integration en…
93a986b 
…try (#10954)

* docs: add TavilyWebSearch component page and external integration entry

* fix: `CountDocumentsAsyncTest`, `WriteDocumentsAsyncTest`, `WriteDocumentsAsyncTest` (#10948)

* fix: address #10917

* removing lazyimport + solving MRO conflict

---------

Co-authored-by: David S. Batista <[email protected]>

* docs: remove gpt-3.5-turbo mentions and use ChatMessage.txt (no content) (#10958)

* fix: `DeleteAllAsyncTest`, `DeleteByFilterAsyncTest`, (#10952)

* fix: address #10919

* adding delete_all_documents_async missing in InMemoryDocumentStore

---------

Co-authored-by: David S. Batista <[email protected]>

* Sync Haystack API reference on Docusaurus (#10959)

Co-authored-by: davidsbatista <[email protected]>

* fix: `UpdateByFilterAsyncTest`, `CountDocumentsByFilterAsyncTest`, `CountUniqueMetadataByFilterAsyncTest` (#10953)

* fix: address #10920

* formatting

---------

Co-authored-by: David S. Batista <[email protected]>

* Sync Haystack API reference on Docusaurus (#10961)

Co-authored-by: davidsbatista <[email protected]>

* docs: fixing code snippets syntax errors (#10955)

* fixing docs syntax errors

* fixing a few more docs syntax errors

* feat: add get_meta_data async mixin tests to haystack.testing + InMemoryDocumentStore async operations and tests (#10963)

* adding get_metadata async related Mixin tests

* adding get_metadata async methods to the InMemoryDocumentStore

* using Mixin async metadata tests to InMemoryDocumentstore tests

* adding release notes

* double ticks in release notes

* Update haystack/testing/document_store_async.py

Co-authored-by: Stefano Fiorucci <[email protected]>

---------

Co-authored-by: Stefano Fiorucci <[email protected]>

* Sync Haystack API reference on Docusaurus (#10962)

Co-authored-by: davidsbatista <[email protected]>

* docs: update llama.cpp repo links from ggerganov to ggml-org (#10964)

* Sync Core Integrations API reference (nvidia) on Docusaurus (#10974)

Co-authored-by: anakin87 <[email protected]>

* build: switch to trusted publishing (#10976)

* test: adding mixing filter async tests + implementing them in InMemoryDocumentStore tests (#10975)

* docs: address reviewer feedback on TavilyWebSearch docs

- Fix pipeline position description (remove LinkContentFetcher reference)
- Remove hardcoded model name to avoid future maintenance
- Fix .content -> .text (field was removed)
- Move Tavily entry from external-integrations-websearch.mdx to websearch.mdx
- Copy tavilywebsearch.mdx to versioned_docs/version-2.26
- Add tavilywebsearch to sidebars.js and version-2.26-sidebars.json

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

---------

Co-authored-by: Stefano Fiorucci <[email protected]>
Co-authored-by: Miguel Miranda Dias <[email protected]>
Co-authored-by: David S. Batista <[email protected]>
Co-authored-by: Haystack Bot <[email protected]>
Co-authored-by: davidsbatista <[email protected]>
Co-authored-by: SATISH K C <[email protected]>
Co-authored-by: anakin87 <[email protected]>
Co-authored-by: Julian Risch <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>
This was referenced Mar 30, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anakin87 anakin87 anakin87 approved these changes

Assignees

No one assigned

Labels

topic:CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julian-risch @anakin87