3j 2SrSSKrSSKJr SSKJr SSKJr SSKJ r J r Sr S r "S S \ \5rS \S-4S jrS\ S \ 4SjrSSS.S\\ -S-S\ S-S \ 4SjjrSS.S\ S\ S\ S-S \4SjjrSSSSS.S\ S\ S-S\\ -S-S\ S-S\ S-S \4 Sjjrg)uKeyless CI/CD authentication via OIDC token exchange ("Trusted Publishers"). A CI job proves its identity to the Hub with a short-lived OIDC id token minted by its CI provider (e.g. GitHub Actions), then exchanges it at ``POST {ENDPOINT}/oauth/token`` (RFC 8693) for a short-lived Hugging Face token — no long-lived ``HF_TOKEN`` secret to store. This module is self-contained: it only handles minting the provider id token and the exchange. It deliberately does not register a public API or a CLI verb; the integration point is the token resolution in ``utils/_auth.py`` (see ``_get_token_from_oidc``). Docs: https://huggingface.co/docs/hub/trusted-publishers N)Enum) constants) OIDCError) get_sessionhf_raise_for_statusz/urn:ietf:params:oauth:grant-type:token-exchangez)urn:ietf:params:oauth:token-type:id_tokenc\rSrSrSrSrSrg)Provider(zRCI providers that can mint an OIDC id token natively. GitHub Actions only for now.githubN)__name__ __module__ __qualname____firstlineno____doc__GITHUB__static_attributes__r O/home/wildlama/miniconda3/lib/python3.13/site-packages/huggingface_hub/_oidc.pyr r (s \ Frr returncj[RRS5S:Xa[R$g)zYDetect the CI provider able to mint an OIDC id token, or `None` if not in a supported CI.GITHUB_ACTIONStrueN)osenvirongetr rr rrdetect_providerr.s% zz~~&'61 raudiencec,[RRS5n[RRS5nU(aU(d [S5e[ 5RUSU0SSU30S9n[ U5 UR 5S$) zMint an OIDC id token from the GitHub Actions runtime. Relies on the `ACTIONS_ID_TOKEN_REQUEST_URL` / `ACTIONS_ID_TOKEN_REQUEST_TOKEN` env vars, which GitHub only injects when the job declares `permissions: id-token: write`. ACTIONS_ID_TOKEN_REQUEST_URLACTIONS_ID_TOKEN_REQUEST_TOKENzCannot request an OIDC id token from GitHub Actions. Make sure the workflow job sets `permissions: id-token: write`. See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connectr AuthorizationzBearer )paramsheadersvalue)rrrrrrjson)r request_url request_tokenresponses r_get_github_oidc_tokenr+5s **..!?@KJJNN#CDM m M  }  H% GM?";<!H ! ==?7 ##rproviderrr-cU=(d [RnU=(d [5nSRS[55nUc[ SUS35eU[R :Xa [U5$[SUSUS35e)aMint a raw OIDC id token (JWT) from the current CI provider. Args: provider (`str`, *optional*): CI provider to use. Auto-detected from the environment when omitted. audience (`str`, *optional*): The `aud` claim to request. Defaults to `constants.ENDPOINT` so it matches the endpoint that validates it (respects `HF_ENDPOINT`/staging). Returns: `str`: The raw id token (JWT) to pass to [`exchange_oidc_token`]. z, c38# UHoRv M g7f)N)r&).0ps r !get_oidc_token..[s48a''8szONo supported CI OIDC provider detected. Trusted Publishers currently supports: .zOIDC provider 'z#' is not supported yet. Supported: ) rENDPOINTrjoinr rrr+NotImplementedError)r-r supporteds rget_oidc_tokenr9Ls-9--H,?,H 4844Iijsittuvww8??"%h// z9\]f\gghi jjr)endpoint subject_tokenresourcer:c[5RU=(d [RS3[[ UUS.S9n[ U5 UR5$)uExchange a CI OIDC id token for a short-lived Hugging Face token (RFC 8693). Args: subject_token (`str`): The raw OIDC id token (JWT) from the CI provider. Its `aud` claim must be the Hub URL. resource (`str`): What to scope the token to: a Hub repo (`namespace/name`, `datasets/namespace/name`, `spaces/namespace/name`, `kernels/namespace/name`) for a write token, or a bare Hub username for a read-only `gated-repos` token. endpoint (`str`, *optional*): Hub endpoint. Defaults to `constants.ENDPOINT` (respects `HF_ENDPOINT`/staging). Returns: `dict`: The token-exchange response, e.g. `{"access_token": "hf_jwt_…", "token_type": "bearer", "expires_in": 3600, ...}`. z /oauth/token) grant_typesubject_token_typer;r<)r')rpostrr5_TOKEN_EXCHANGE_GRANT_TYPE_ID_TOKEN_TYPErr')r;r<r:r*s rexchange_oidc_tokenrCcsX"}!!  )y)) *,74"0*  "H! ==?r)r;r-rr:crU=(d [RnUc[X#=(d US9n[XUS9$)ujMint a CI OIDC id token and exchange it for a Hugging Face token. Convenience wrapper around [`get_oidc_token`] + [`exchange_oidc_token`]. Returns the raw exchange response (it does not persist anything — the caller decides what to do with the token). Args: resource (`str`): Repo or username to scope the token to. See [`exchange_oidc_token`]. subject_token (`str`, *optional*): A pre-minted OIDC id token to exchange directly. Use this for CI providers not yet supported natively (e.g. GitLab): mint the id token in your job and pass it here. When omitted, the token is minted from the detected `provider`. provider (`str`, *optional*): CI provider. Auto-detected when omitted. Ignored when `subject_token` is provided. audience (`str`, *optional*): The `aud` claim to request. Defaults to the resolved `endpoint`, so it matches the endpoint that validates it. endpoint (`str`, *optional*): Hub endpoint. Defaults to `constants.ENDPOINT`. Returns: `dict`: The token-exchange response (`access_token`, `token_type`, `expires_in`, ...). r,)r;r<r:)rr5r9rC)r<r;r-rr:s r oidc_loginrEs7>-9--H&CWxX ]X` aar)rrenumrrerrorsrutilsrrrArBstrr rr+r9dictrCrEr rrrLs%  3O<sD D$S$S$.9=UYk3 5kd k^ak.VZ#d ^bB!%&* "b"b:"bnt# "b Dj "b Dj "b "br