Skip to main content

uv publish

Upload distributions to a package index (PyPI or private registries).

Usage

Description

Upload Python distributions (wheels and source distributions) to a package index. By default, publishes to PyPI, but can be configured to publish to private registries. Supports multiple authentication methods:
  • Username and password
  • API tokens
  • Trusted publishing (GitHub Actions, GitLab CI/CD)
  • Keyring integration

Arguments

[FILES]...

Paths to the files to upload. Accepts glob expressions. Defaults to dist/*. Selects only wheels and source distributions and their attestations, while ignoring other files.

Options

Index configuration

--index <INDEX>

The name of an index in the configuration to use for publishing. The index must have a publish-url setting in your pyproject.toml or uv.toml:
The index url will be used to check for existing files to skip duplicate uploads. With these settings, the following two calls are equivalent:
Environment variable: UV_PUBLISH_INDEX

--publish-url <PUBLISH_URL>

The URL of the upload endpoint (not the index URL). Note that there are typically different URLs for index access (e.g., https://.../simple) and index upload. Defaults to PyPI’s publish URL: https://upload.pypi.org/legacy/
Environment variable: UV_PUBLISH_URL

--check-url <CHECK_URL>

Check an index URL for existing files to skip duplicate uploads. This option allows retrying publishing that failed after only some, but not all files have been uploaded, and handles errors due to parallel uploads of the same file. Before uploading, the index is checked. If the exact same file already exists in the index, the file will not be uploaded. If an error occurred during the upload, the index is checked again, to handle cases where the identical file was uploaded twice in parallel. The exact behavior will vary based on the index. When uploading to PyPI, uploading the same file succeeds even without --check-url, while most other indexes error. When uploading to pyx, the index URL can be inferred automatically from the publish URL. The index must provide one of the supported hashes (SHA-256, SHA-384, or SHA-512).
Environment variable: UV_PUBLISH_CHECK_URL

Authentication

-u, --username <USERNAME>

The username for the upload.
Environment variable: UV_PUBLISH_USERNAME

-p, --password <PASSWORD>

The password for the upload.
For security, prefer using environment variables or keyring:
Environment variable: UV_PUBLISH_PASSWORD

-t, --token <TOKEN>

The token for the upload. Using a token is equivalent to passing __token__ as --username and the token as --password.
For security, prefer using environment variables:
Environment variable: UV_PUBLISH_TOKEN

--trusted-publishing <TRUSTED_PUBLISHING>

Configure trusted publishing. By default, uv checks for trusted publishing when running in a supported environment, but ignores it if it isn’t configured. Supported environments:
  • GitHub Actions
  • GitLab CI/CD
Values:
  • always - Require trusted publishing
  • never - Disable trusted publishing
  • automatic - Use if available (default)

--keyring-provider <KEYRING_PROVIDER>

Attempt to use keyring for authentication for remote requirements files. At present, only --keyring-provider subprocess is supported, which configures uv to use the keyring CLI to handle authentication. Defaults to disabled.
Environment variable: UV_KEYRING_PROVIDER

Upload options

--dry-run

Perform a dry run without uploading files. When enabled, the command will check for existing files if --check-url is provided, and will perform validation against the index if supported, but will not upload any files.
Useful for testing your publishing configuration.

--no-attestations

Do not upload attestations for the published files. By default, uv attempts to upload matching PEP 740 attestations with each distribution that is published.
Environment variable: UV_PUBLISH_NO_ATTESTATIONS

Examples

Publish to PyPI

Using an API token (recommended):
Or with username and password:

Publish to Test PyPI

Publish to a private registry

Configure in pyproject.toml:
Then publish:

Publish specific files

Dry run to test configuration

Output:

Publish with trusted publishing (GitHub Actions)

In your GitHub Actions workflow:

Check for existing files before upload

This prevents duplicate upload errors and allows retrying failed uploads.

Publish using keyring

Use cases

CI/CD publishing workflow

Complete workflow for building and publishing:

Publishing to multiple registries

Publish to Test PyPI first, then to PyPI:

Retry failed uploads

If a publish fails partway through:
Files already uploaded will be skipped.

Workspace publishing

Publish all workspace packages:

Security best practices

Use API tokens instead of passwords

API tokens are more secure and can be scoped:

Use trusted publishing when possible

Trusted publishing eliminates the need for long-lived credentials:

Store credentials securely

Never commit credentials to version control:

Test with dry run first

Verify configuration before actual upload:
  • uv build - Build distributions for publishing
  • uv init - Create a new project

Notes

  • By default, uv publishes to PyPI (https://upload.pypi.org/legacy/)
  • API tokens are preferred over username/password authentication
  • Trusted publishing is the most secure option for CI/CD
  • Use --dry-run to test your configuration without uploading
  • PEP 740 attestations are uploaded by default when available
  • Use --check-url to handle duplicate uploads and retry scenarios