pypi-doppler_skill

This skill enables local PyPI publishing with Doppler credential management, enforcing local-only workflows and manual release approvals.
  • TypeScript

14

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill terrylica/cc-skills --skill pypi-doppler

  • SKILL.md16.1 KB

Overview

This skill provides a secure, local-only PyPI publishing workflow that uses Doppler for secret management and enforces CI detection guards. It separates automated versioning (runs in GitHub Actions) from the actual publish step, which must be run manually on a developer workstation. The goal is faster, safer releases with explicit manual approval and no PyPI tokens stored in CI.

How this skill works

The skill bundles a canonical publish script (scripts/publish-to-pypi.sh) that verifies repository ownership, checks CI environment variables, retrieves PYPI_TOKEN from Doppler, builds the package, publishes to PyPI, and verifies the release. GitHub Actions handles semantic versioning, changelog generation, tags, and release creation; the local script only publishes the already-created release. CI detection guards exit early if any CI variables are present.

When to use it

  • When you need to publish a Python package to PyPI from your local machine
  • When you want Doppler-managed PyPI tokens instead of storing secrets in CI
  • When your project enforces manual approval and repository verification before publish
  • When semantic-release runs in CI for versioning but PyPI upload must remain local
  • When you need a short, repeatable local publish workflow that verifies success on PyPI

Best practices

  • Always pull the latest main branch and confirm semantic-release bumped the version before publishing
  • Use the bundled scripts/publish-to-pypi.sh to preserve CI guards, repo checks, and Doppler integration
  • Keep PyPI tokens only in Doppler; rotate tokens regularly and verify 2FA on your PyPI account
  • Never run the publish script inside CI/CD; unset CI variables locally if they are present
  • Test with TestPyPI using a dedicated TESTPYPI_TOKEN stored in Doppler before production publishes

Example use cases

  • A maintainer runs semantic-release in CI to create a GitHub release, then runs ./scripts/publish-to-pypi.sh locally to upload the new version
  • A team rotates the PyPI token: create new token on PyPI, update Doppler, then verify publish locally
  • A contributor verifies build artifacts locally and publishes to TestPyPI using a TESTPYPI_TOKEN retrieved from Doppler
  • A repository enforces ADR-0027: CI only handles tagging and changelogs, local machine handles sensitive PyPI publish

FAQ

Local-only publishing prevents long-lived PyPI tokens from being stored in CI, requires manual approval, and reduces the attack surface while speeding up the final publish step.

What if CI variables are set on my workstation?

Unset CI-related environment variables (for example unset CI and unset GITHUB_ACTIONS) before running the canonical publish script; the script intentionally blocks if it detects CI.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
pypi-doppler skill by terrylica/cc-skills | VeilStrat