14
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill terrylica/cc-skills --skill pypi-doppler- SKILL.md16.1 KB
Overview
This skill provides a secure, local-only PyPI publishing workflow that uses Doppler for secret management and enforces CI detection guards. It separates automated versioning (runs in GitHub Actions) from the actual publish step, which must be run manually on a developer workstation. The goal is faster, safer releases with explicit manual approval and no PyPI tokens stored in CI.
How this skill works
The skill bundles a canonical publish script (scripts/publish-to-pypi.sh) that verifies repository ownership, checks CI environment variables, retrieves PYPI_TOKEN from Doppler, builds the package, publishes to PyPI, and verifies the release. GitHub Actions handles semantic versioning, changelog generation, tags, and release creation; the local script only publishes the already-created release. CI detection guards exit early if any CI variables are present.
When to use it
- When you need to publish a Python package to PyPI from your local machine
- When you want Doppler-managed PyPI tokens instead of storing secrets in CI
- When your project enforces manual approval and repository verification before publish
- When semantic-release runs in CI for versioning but PyPI upload must remain local
- When you need a short, repeatable local publish workflow that verifies success on PyPI
Best practices
- Always pull the latest main branch and confirm semantic-release bumped the version before publishing
- Use the bundled scripts/publish-to-pypi.sh to preserve CI guards, repo checks, and Doppler integration
- Keep PyPI tokens only in Doppler; rotate tokens regularly and verify 2FA on your PyPI account
- Never run the publish script inside CI/CD; unset CI variables locally if they are present
- Test with TestPyPI using a dedicated TESTPYPI_TOKEN stored in Doppler before production publishes
Example use cases
- A maintainer runs semantic-release in CI to create a GitHub release, then runs ./scripts/publish-to-pypi.sh locally to upload the new version
- A team rotates the PyPI token: create new token on PyPI, update Doppler, then verify publish locally
- A contributor verifies build artifacts locally and publishes to TestPyPI using a TESTPYPI_TOKEN retrieved from Doppler
- A repository enforces ADR-0027: CI only handles tagging and changelogs, local machine handles sensitive PyPI publish
FAQ
Local-only publishing prevents long-lived PyPI tokens from being stored in CI, requires manual approval, and reduces the attack surface while speeding up the final publish step.
What if CI variables are set on my workstation?
Unset CI-related environment variables (for example unset CI and unset GITHUB_ACTIONS) before running the canonical publish script; the script intentionally blocks if it detects CI.