From d1c1ee748d1430f577b2613565bba0f807baf578 Mon Sep 17 00:00:00 2001 From: ogkranthi Date: Sun, 24 May 2026 20:52:15 -0400 Subject: [PATCH] =?UTF-8?q?feat:=20D35=20=E2=80=94=20PyPI=20publish=20via?= =?UTF-8?q?=20GitHub=20Actions=20Trusted=20Publisher?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces twine+secret with pypa/gh-action-pypi-publish using OIDC trusted publisher. Triggers on v* tag push with separate build and publish jobs. CI workflow already exists and is unchanged. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/publish.yml | 44 ++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 91facf4..a34c757 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,35 +1,53 @@ name: Publish to PyPI on: - release: - types: [published] + push: + tags: + - "v*" permissions: contents: read + id-token: write # Required for PyPI Trusted Publisher jobs: - publish: - name: Build and publish to PyPI + build: + name: Build distribution runs-on: ubuntu-latest - steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: - python-version: "3.12" + python-version: "3.11" - name: Install build tools - run: pip install build twine + run: pip install build - name: Build package run: python -m build - - name: Check dist - run: twine check dist/* + - name: Upload dist artifact + uses: actions/upload-artifact@v4 + with: + name: dist + path: dist/ + + publish: + name: Publish to PyPI + needs: build + runs-on: ubuntu-latest + environment: pypi + permissions: + id-token: write # Trusted Publisher OIDC + + steps: + - name: Download dist artifact + uses: actions/download-artifact@v4 + with: + name: dist + path: dist/ - name: Publish to PyPI - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - run: twine upload dist/* + uses: pypa/gh-action-pypi-publish@release/v1 + with: + attestations: true