From cea4fc5a9380f1b65d5ca56e5c689817fa8f12be Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:34 -0600 Subject: [PATCH 1/2] ci(release): Migrate to PyPI Trusted Publisher why: Improve security by eliminating stored API tokens and enable package attestations what: - Add OIDC permissions (id-token, attestations) to release job - Remove user/password authentication in favor of trusted publishing - Enable attestations for supply chain security - Fix deprecated skip_existing to skip-existing --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 7f551b5..a6edf58 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -49,6 +49,9 @@ jobs: runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + id-token: write + attestations: write strategy: matrix: @@ -76,6 +79,5 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} - skip_existing: true + attestations: true + skip-existing: true From 981e6f44f29121747b84d4fac6d08c900bbee26c Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:56 -0600 Subject: [PATCH 2/2] docs(CHANGES): Document Trusted Publisher migration (#43) --- CHANGES | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 0c80d86..edb46da 100644 --- a/CHANGES +++ b/CHANGES @@ -29,10 +29,12 @@ $ uvx --from 'g' --prerelease allow g ## g 0.0.9 (unreleased) -- _Notes on upcoming releases will be added here_ - +### CI + +- Migrate to PyPI Trusted Publisher (#43) + ## g 0.0.8 (2025-11-01) ### Breaking changes