astral-sh/uv
Publishing
uv publish uploads wheels and sdists to PyPI-compatible indexes, with optional OIDC-based
trusted publishing.
Setup
The simplest case: uv publish dist/* from a project that's already built. By default uv:
- Looks at
[[tool.uv.index]]to determine which index to upload to (the default is PyPI'supload.pypi.org). - Resolves credentials via
uv-auth(URL-embedded → env vars → keyring → trusted publishing). - Uploads each file in parallel, with retries for transient failures.
Trusted publishing
Inside a GitHub Actions runner with a properly-configured publisher on PyPI:
- run: uv build
- run: uv publishuv detects the ACTIONS_ID_TOKEN_REQUEST_URL env var, mints an OIDC ID token, exchanges it
for a short-lived API token, and uploads. No long-lived secret needs to be stored in the
repository.
The exchange logic lives in crates/uv-publish/src/trusted_publishing/pypi.rs (and pyx
variant in pyx.rs).
What gets validated locally
Before any upload, uv:
- Parses each filename (
uv-distribution-filename). - Reads
METADATA(uv-metadata). - Computes SHA-256 and BLAKE2b-256 over the file (
uv-extract). - Refuses to upload sdists whose
pyproject.tomlis missing.
This catches surprisingly many real-world packaging errors before they hit the index.
See also
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.