From 69262ec41fc2808a650863282f627cbf4a0225f9 Mon Sep 17 00:00:00 2001 From: Artur Shiriev Date: Wed, 1 Jul 2026 21:33:02 +0300 Subject: [PATCH 1/2] ci: publish to PyPI via Trusted Publishing (OIDC) Drop the long-lived PYPI_TOKEN secret in favor of OIDC. uv publish auto-detects the GitHub Actions id-token, so the release job grants id-token: write and runs under a `pypi` environment that scopes the PyPI Trusted Publisher. Requires a matching Trusted Publisher on the faststream-outbox PyPI project (workflow: release.yml, environment: pypi) before the next tag. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 8 +++++--- Justfile | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cff843..5607cac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,13 +11,15 @@ on: - '[0-9]+.[0-9]+.[0-9]+' # stable: 2.7.2 - '[0-9]+.[0-9]+.[0-9]+[a-z]+[0-9]+' # pre-release: 2.0.0rc1, 4.0.0a2 -# Needed for softprops/action-gh-release to create the GitHub Release. +# contents: write -> create the GitHub Release; id-token: write -> OIDC for PyPI Trusted Publishing. permissions: contents: write + id-token: write jobs: release: runs-on: ubuntu-latest + environment: pypi # scopes the PyPI Trusted Publisher; hook for approval rules steps: - uses: actions/checkout@v6 - uses: extractions/setup-just@v4 @@ -45,9 +47,9 @@ jobs: # PyPI is irreversible, so it runs FIRST: if it fails the job stops and no # GitHub Release is created advertising a version that never reached PyPI. # `just publish` derives the version from $GITHUB_REF_NAME (the tag name). + # Auth via PyPI Trusted Publishing (OIDC); no PYPI_TOKEN. Needs a Trusted + # Publisher on the faststream-outbox PyPI project (env: pypi, workflow: release.yml). - run: just publish - env: - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} # Description source: planning/releases/.md if present (verbatim, no # auto-changelog appended); otherwise GitHub's generated notes. A tag with diff --git a/Justfile b/Justfile index 446852e..4870ac3 100644 --- a/Justfile +++ b/Justfile @@ -37,11 +37,12 @@ index: check-planning: uv run python planning/index.py --check +# Auth via PyPI Trusted Publishing (OIDC); uv publish auto-detects the CI id-token. publish: rm -rf dist uv version $GITHUB_REF_NAME uv build - uv publish --token $PYPI_TOKEN + uv publish # Serve docs at http://127.0.0.1:8000 with hot-reload on save. docs-serve: From 08e2f0e71119251f7ead9c436b262f45b088f1aa Mon Sep 17 00:00:00 2001 From: Artur Shiriev Date: Wed, 1 Jul 2026 23:31:14 +0300 Subject: [PATCH 2/2] docs(release): add 0.10.5 notes (Trusted Publishing pipeline) Co-Authored-By: Claude Opus 4.8 (1M context) --- planning/releases/0.10.5.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 planning/releases/0.10.5.md diff --git a/planning/releases/0.10.5.md b/planning/releases/0.10.5.md new file mode 100644 index 0000000..a1e8a3a --- /dev/null +++ b/planning/releases/0.10.5.md @@ -0,0 +1,11 @@ +# faststream-outbox 0.10.5 — release pipeline on PyPI Trusted Publishing + +No library changes. The package is identical to 0.10.4; this release exercises the new publish path end-to-end. + +## CI + +- Releases now authenticate to PyPI via **Trusted Publishing (OIDC)** instead of a long-lived `PYPI_TOKEN` secret. `uv publish` auto-detects the GitHub Actions id-token; the release job runs under a `pypi` environment that scopes the trusted publisher (#123). + +## Downstream + +No action required. Nothing about the installed package changes.