From bec46656d2d4ef724ee92af36ef14617136f3a73 Mon Sep 17 00:00:00 2001 From: Nikolaus Waxweiler Date: Tue, 23 Sep 2025 12:09:28 +0100 Subject: [PATCH] Use trusted publishing In light of the recent npm supply chain attacks and also https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/, I'm combing through our font stack to see if all them Py projects are using the trusted publisher mechanism as recommended by PyPI. See https://docs.pypi.org/trusted-publishers/ and https://docs.astral.sh/uv/guides/integration/github/#publishing-to-pypi. Someone needs to do three things for this PR to work: * Create an environment called "publish-to-pypi" in this GitHub repository under Settings -> Environments. Creating alone is probably enough, no configuration needed I think. * Follow https://docs.pypi.org/trusted-publishers/adding-a-publisher/ to set up the other side on PyPI. * Remove tokens/secret variables here so they can't be exfiltrated anymore, and probably also remove them from PyPI. --- .github/workflows/ci.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86cee0d..1352f7a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,11 @@ jobs: # but only if all build jobs completed successfully needs: [build_wheels, build_arch_wheels, build_sdist] runs-on: ubuntu-latest + environment: + name: publish-to-pypi + url: https://pypi.org/p/pyclipper + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing. steps: - uses: actions/checkout@v4 @@ -176,7 +181,4 @@ jobs: draft: false prerelease: ${{ env.IS_PRERELEASE }} - - uses: pypa/gh-action-pypi-publish@v1.4.2 - with: - user: __token__ - password: ${{ secrets.PYPI_PASSWORD }} + - uses: pypa/gh-action-pypi-publish@v1.13.0