Mostly referring to this user guide to upload packages onto PyPI.

Create an account, and reserve a package namespace. Create an API token for uploading.

For the project, minimally prepare a pyproject.toml with the [build-system] and [project] tables populated.

Install the build package that provides functionality to prepare the source tarball ("source distribution") and build into a wheel. Then finally upload it using twine onto PyPI.

user:~$ python -m build
user:~$ python -m twine upload dist/*

Previous workflow involved manually building, and uploading to PyPI with twine using an API token. The continuous integration method does a couple things different:

• Build is triggered with every commit push, using a series of checkout + install Python & build + upload into build environment steps
• Publishing involves retrieving the build and publishing it directly to PyPI

Authentication is done on the PyPI via OIDC: account on PyPI specifies from which source should a distribution push be accepted, and PyPI authenticates directly with the source itself (that acts as an identity provider).

PyPI screenshot when configuring OIDC

Additional security measures taken include:

• Separating the build task from the publish task, to avoid potential compromise of authentication tokens
• Github environments are used to provide additional trigger requirements (e.g. extra reviewers, push only from protected branches).

Different possible build backends:

• Poetry: fpfind
• Hatchling: kochen, inst-efficiency
• setuptools: pyS15

Some articles on choosing a backend:

• Distribution of build systems: