From a47fd62d4685aadcf0a2dbc6e91602f811587b5c Mon Sep 17 00:00:00 2001 From: Jeong-Yoon Lee Date: Fri, 3 Jul 2026 23:39:48 -0700 Subject: [PATCH] Fix PyPI trusted publishing: add id-token: write to upload_all The v0.17.0 publish workflow failed with "OpenID Connect token retrieval failed: missing or insufficient OIDC token permissions" because the upload_all job lacked `id-token: write`, which PyPI trusted publishing (OIDC) requires. #871 switched to trusted publishing but never added the permission, and v0.17.0 was the first release to exercise it. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/python-publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 753e34b6..3990ec31 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -58,6 +58,8 @@ jobs: upload_all: needs: [build_wheels, make_sdist] runs-on: ubuntu-latest + permissions: + id-token: write # required for PyPI trusted publishing (OIDC) if: github.event_name == 'release' && github.event.action == 'published' steps: - uses: actions/download-artifact@v7