diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 191d6d1..41ae2e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,13 +16,15 @@ on: - '[0-9]+.[0-9]+.[0-9]+[a-z]+[0-9]+' # pre-release: 0.9.0rc1, 1.0.0a2 # Needed for softprops/action-gh-release to create the Release and for the -# v0 force-push. +# v0 force-push. id-token: write -> OIDC for PyPI Trusted Publishing. permissions: contents: write + id-token: write jobs: release: runs-on: ubuntu-latest + environment: pypi # scopes the PyPI Trusted Publisher; hook for approval rules steps: - uses: actions/checkout@v6 - uses: extractions/setup-just@v4 @@ -50,9 +52,9 @@ jobs: # PyPI is irreversible, so it runs FIRST: if it fails the job stops and no # GitHub Release or v0 move advertises a version that never reached PyPI. # `just publish` derives the version from $GITHUB_REF_NAME (the tag name). + # Auth via PyPI Trusted Publishing (OIDC); no PYPI_TOKEN. Needs a Trusted + # Publisher on the semvertag PyPI project (env: pypi, workflow: release.yml). - run: just publish - env: - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} # Description source: planning/releases/.md if present (verbatim, no # auto-changelog appended); otherwise GitHub's generated notes. A tag with diff --git a/Justfile b/Justfile index 56ccbdd..c335f0c 100644 --- a/Justfile +++ b/Justfile @@ -20,11 +20,12 @@ lint-ci: test *args: uv run --no-sync pytest {{ args }} +# Auth via PyPI Trusted Publishing (OIDC); uv publish auto-detects the CI id-token. publish: rm -rf dist uv version $GITHUB_REF_NAME uv build - uv publish --token $PYPI_TOKEN + uv publish # Strict local docs build (no deploy). Mirrors CI's link/strict checks. docs-build: diff --git a/planning/releases/0.8.2.md b/planning/releases/0.8.2.md new file mode 100644 index 0000000..d307dfc --- /dev/null +++ b/planning/releases/0.8.2.md @@ -0,0 +1,11 @@ +# semvertag 0.8.2 — release pipeline on PyPI Trusted Publishing + +No library changes. The package is identical to 0.8.1; this release exercises the new publish path end-to-end. + +## CI + +- Releases now authenticate to PyPI via **Trusted Publishing (OIDC)** instead of a long-lived `PYPI_TOKEN` secret. `uv publish` auto-detects the GitHub Actions id-token; the release job runs under a `pypi` environment that scopes the trusted publisher (#46). + +## Downstream + +No action required. Nothing about the installed package changes.