diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a377a4f..4f790ad 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,15 +5,21 @@ on: types: - published +# contents: read for checkout; id-token: write for PyPI Trusted Publishing (OIDC). +permissions: + contents: read + id-token: write + jobs: publish: runs-on: ubuntu-latest + environment: pypi # scopes the PyPI Trusted Publisher; hook for approval rules steps: - uses: actions/checkout@v6 - uses: extractions/setup-just@v4 - uses: astral-sh/setup-uv@v7 with: cache-dependency-glob: "**/pyproject.toml" + # Auth via PyPI Trusted Publishing (OIDC); no PYPI_TOKEN. Needs a Trusted + # Publisher on the that-depends PyPI project (env: pypi, workflow: publish.yml). - run: just publish - env: - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} diff --git a/Justfile b/Justfile index 1c25f06..75d276e 100644 --- a/Justfile +++ b/Justfile @@ -20,11 +20,12 @@ lint-ci: test *args: uv run --no-sync pytest {{ args }} +# Auth via PyPI Trusted Publishing (OIDC); uv publish auto-detects the CI id-token. publish: rm -rf dist uv version $GITHUB_REF_NAME uv build - uv publish --token $PYPI_TOKEN + uv publish hook: uv run pre-commit install --install-hooks --overwrite