From 7633fd7fbab4ad92874bc0bbad8e36399ef2d136 Mon Sep 17 00:00:00 2001 From: Travis Beauvais Date: Wed, 12 Nov 2025 13:11:41 -0800 Subject: [PATCH] Update publish workflow to use OIDC trusted publishing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add id-token and contents permissions at workflow and job level - Replace twine uploads with pypa/gh-action-pypi-publish action - Remove API token dependencies (TEST_PYPI_API_TOKEN, PYPI_API_TOKEN) - Maintain existing verification steps for TestPyPI 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/publish.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ff1f31c..c7af776 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,9 +4,16 @@ on: release: types: [created] +permissions: + id-token: write # Required for trusted publishing to PyPI + contents: read + jobs: publish: runs-on: ubuntu-latest + permissions: + id-token: write # Required for trusted publishing to PyPI + contents: read steps: - uses: actions/checkout@v4 @@ -57,11 +64,9 @@ jobs: python -m twine check dist/* - name: Publish to TestPyPI - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }} - run: | - python -m twine upload --repository testpypi dist/* + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ - name: Verify TestPyPI installation run: | @@ -78,8 +83,4 @@ jobs: echo "✓ TestPyPI package verified successfully!" - name: Publish to PyPI - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - run: | - python -m twine upload dist/* + uses: pypa/gh-action-pypi-publish@release/v1