From ef24cc61663d640649e71882d5818000cb62ed92 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:34 -0600 Subject: [PATCH 1/2] ci(release): Migrate to PyPI Trusted Publisher why: Improve security by eliminating stored API tokens and enable package attestations what: - Add OIDC permissions (id-token, attestations) to release job - Remove user/password authentication in favor of trusted publishing - Enable attestations for supply chain security - Fix deprecated skip_existing to skip-existing --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 96963d4..3c8cf89 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -49,6 +49,9 @@ jobs: runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + id-token: write + attestations: write strategy: matrix: @@ -76,6 +79,5 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} - skip_existing: true + attestations: true + skip-existing: true From e642cd7f1e0a32e8438f36dc37c0fd9e0c570534 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:56 -0600 Subject: [PATCH 2/2] docs(CHANGES): Document Trusted Publisher migration (#43) --- CHANGES | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 726831a..fb87bed 100644 --- a/CHANGES +++ b/CHANGES @@ -29,10 +29,12 @@ $ uvx --from 'g' --prerelease allow g ## g 0.0.9 (unreleased) -- _Notes on upcoming releases will be added here_ - +### Packaging + +- Migrate to PyPI Trusted Publisher (#43) + ### Documentation - Migrate docs deployment to AWS OIDC authentication and AWS CLI