Implementation:Langchain ai Langchain PyPI Trusted Publishing Test
Overview
Concrete tool for uploading LangChain packages to Test PyPI using OIDC trusted publishing, provided by the test-pypi-publish job in _release.yml.
Description
The test-pypi-publish job runs after the build and release-notes jobs. It uses the pypa/gh-action-pypi-publish GitHub Action (release/v1) to upload the built distribution artifacts to Test PyPI at https://test.pypi.org/legacy/.
Key characteristics:
- OIDC trusted publishing: The job requests the
id-token: writepermission, which enables GitHub Actions to mint a short-lived OIDC token. PyPI verifies this token against the package's trusted publisher configuration -- no stored API keys are needed. - Skip existing: The
skip-existing: trueoption is set so that re-running the workflow for the same version does not fail if artifacts were already uploaded. This is noted as being for CI use only and is considered dangerous in other contexts. - Verbose output: Both
verbose: trueandprint-hash: trueare enabled for auditability. - Attestations disabled: Attestations are explicitly set to
falseas a temporary workaround for a default-on change ingh-action-pypi-publish v1.11.0.
Usage
This job runs automatically in the release pipeline after the build completes. No manual intervention is required. The Test PyPI package page can be inspected at https://test.pypi.org/project/<pkg-name>/.
Code Reference
Source Location: .github/workflows/_release.yml (lines 195-228)
Job Definition:
test-pypi-publish:
needs:
- build
- release-notes
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v7
with:
name: dist
path: ${{ inputs.working-directory }}/dist/
- name: Publish to test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: ${{ inputs.working-directory }}/dist/
verbose: true
print-hash: true
repository-url: https://test.pypi.org/legacy/
skip-existing: true
attestations: false
Invocation: Automatic, triggered by job dependency chain in the release pipeline.
I/O Contract
| Direction | Name | Type | Description |
|---|---|---|---|
| Input | dist/ artifacts | Files | The .whl and .tar.gz files from the build job
|
| Input | OIDC token | Token | Short-lived identity token from GitHub Actions (id-token: write)
|
| Input | repository-url | string | https://test.pypi.org/legacy/
|
| Output | Test PyPI package | Published package | The package is available at https://test.pypi.org/project/<pkg-name>/<version>/
|
| Output | Upload hashes | Logs | SHA-256 hashes of uploaded files printed to job logs |
Usage Examples
Example 1: Verifying the upload on Test PyPI
# After the job succeeds, check the package page:
# https://test.pypi.org/project/langchain-core/1.2.11/
Example 2: Installing from Test PyPI for validation
# Use Test PyPI as extra index so dependencies resolve from production PyPI
pip install langchain-core==1.2.11 \
--index-url https://test.pypi.org/simple/ \
--extra-index-url https://pypi.org/simple/
Example 3: Using the pypa action in a custom workflow
- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: libs/core/dist/
repository-url: https://test.pypi.org/legacy/
skip-existing: true
verbose: true
print-hash: true
attestations: false