From a769e1eda5e0120ce4aad2e624265a7e8e8c0eb1 Mon Sep 17 00:00:00 2001 From: Artur Shiriev Date: Wed, 1 Jul 2026 23:49:59 +0300 Subject: [PATCH] ci: publish to PyPI via Trusted Publishing (OIDC) Drop the long-lived PYPI_TOKEN secret in favor of OIDC. uv publish auto-detects the GitHub Actions id-token; publish.yml grants id-token: write (plus contents: read for checkout) and runs under a `pypi` environment that scopes the PyPI Trusted Publisher. The existing on: release: published trigger is unchanged. Requires a Trusted Publisher on the that-depends PyPI project with workflow publish.yml and environment pypi before the next release. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish.yml | 10 ++++++++-- Justfile | 3 ++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a377a4f..4f790ad 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,15 +5,21 @@ on: types: - published +# contents: read for checkout; id-token: write for PyPI Trusted Publishing (OIDC). +permissions: + contents: read + id-token: write + jobs: publish: runs-on: ubuntu-latest + environment: pypi # scopes the PyPI Trusted Publisher; hook for approval rules steps: - uses: actions/checkout@v6 - uses: extractions/setup-just@v4 - uses: astral-sh/setup-uv@v7 with: cache-dependency-glob: "**/pyproject.toml" + # Auth via PyPI Trusted Publishing (OIDC); no PYPI_TOKEN. Needs a Trusted + # Publisher on the that-depends PyPI project (env: pypi, workflow: publish.yml). - run: just publish - env: - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} diff --git a/Justfile b/Justfile index 1c25f06..75d276e 100644 --- a/Justfile +++ b/Justfile @@ -20,11 +20,12 @@ lint-ci: test *args: uv run --no-sync pytest {{ args }} +# Auth via PyPI Trusted Publishing (OIDC); uv publish auto-detects the CI id-token. publish: rm -rf dist uv version $GITHUB_REF_NAME uv build - uv publish --token $PYPI_TOKEN + uv publish hook: uv run pre-commit install --install-hooks --overwrite