From 0270e3802145172c03e8f77f256f9b1a60cd922c Mon Sep 17 00:00:00 2001
From: Karthic Raghupathi <karthicr@ivrtechnology.com>
Date: Wed, 24 Jun 2026 15:31:37 -0400
Subject: [PATCH 1/2] Add PyPI auto-publish on release via Trusted Publishing
 (#58)

A publish.yml workflow builds the sdist + wheel and uploads to PyPI when
a GitHub release is published. Authentication is PyPI Trusted Publishing
(OIDC) -- no API token is stored. The publish job requests id-token:write
and runs in a 'pypi' GitHub Environment, which also allows an optional
manual-approval gate.

Requires a one-time PyPI Trusted Publisher config (owner IVRTech, repo
pystrix, workflow publish.yml, environment pypi).

Closes #58
---
 .github/workflows/publish.yml | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..e13a281
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,37 @@
+name: Publish to PyPI
+
+# Publishes to PyPI when a GitHub release is published. Authentication uses
+# PyPI Trusted Publishing (OIDC), so no API token is stored in the repo or CI.
+#
+# One-time PyPI setup (maintainer): add a Trusted Publisher to the pystrix
+# project with owner "IVRTech", repository "pystrix", workflow "publish.yml",
+# and environment "pypi".
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    environment:
+      name: pypi
+      url: https://pypi.org/project/pystrix/
+    permissions:
+      id-token: write  # required for Trusted Publishing (OIDC)
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Build sdist and wheel
+        run: |
+          python -m pip install build
+          python -m build
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

From dbfccd3fc06627b2ceea1d711c2dd94093d809c0 Mon Sep 17 00:00:00 2001
From: Karthic Raghupathi <karthicr@ivrtechnology.com>
Date: Wed, 24 Jun 2026 16:10:01 -0400
Subject: [PATCH 2/2] Harden publish workflow per review panel

- Split into an unprivileged `build` job and an OIDC `publish` job
  (needs: build), passing dist/ via artifact. Only the publish job holds
  id-token: write, so the build backend never has the publishing identity
  (PyPA-recommended structure).
- Add contents: read to the publish job's permissions (job-level perms do
  not inherit the top-level block).
- Add a verify step: non-empty dist/, twine check, and a built-version vs
  release-tag match (read from an env var to avoid injection).

Kept pypa/gh-action-pypi-publish@release/v1 (PyPA's recommended ref)
rather than a SHA pin; SHA-pinning is deferred to pair with Dependabot.
---
 .github/workflows/publish.yml | 47 +++++++++++++++++++++++++++++------
 1 file changed, 39 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e13a281..ca29440 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,6 +2,8 @@ name: Publish to PyPI
 
 # Publishes to PyPI when a GitHub release is published. Authentication uses
 # PyPI Trusted Publishing (OIDC), so no API token is stored in the repo or CI.
+# Build and publish are separate jobs: only the publish job holds the OIDC
+# publishing identity, so the build backend never has access to it.
 #
 # One-time PyPI setup (maintainer): add a Trusted Publisher to the pystrix
 # project with owner "IVRTech", repository "pystrix", workflow "publish.yml",
@@ -14,15 +16,10 @@ permissions:
   contents: read
 
 jobs:
-  publish:
-    name: Publish to PyPI
+  build:
+    name: Build distribution
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    environment:
-      name: pypi
-      url: https://pypi.org/project/pystrix/
-    permissions:
-      id-token: write  # required for Trusted Publishing (OIDC)
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -31,7 +28,41 @@ jobs:
           python-version: "3.11"
       - name: Build sdist and wheel
         run: |
-          python -m pip install build
+          python -m pip install build twine
           python -m build
+      - name: Verify artifacts and version
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          test -n "$(ls -A dist/)" || { echo "::error::dist/ is empty"; exit 1; }
+          python -m twine check dist/*
+          version="$(python -c 'import pystrix; print(pystrix.VERSION)')"
+          if [ "$RELEASE_TAG" != "v$version" ] && [ "$RELEASE_TAG" != "$version" ]; then
+            echo "::error::built version $version does not match release tag $RELEASE_TAG"
+            exit 1
+          fi
+      - name: Upload distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    environment:
+      name: pypi
+      url: https://pypi.org/project/pystrix/
+    permissions:
+      contents: read
+      id-token: write  # required for Trusted Publishing (OIDC)
+    steps:
+      - name: Download distribution artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1