From 0ec0e8785cb99d8b735da6083174c6f5900179d0 Mon Sep 17 00:00:00 2001
From: Himanshu Agrawal <himanshu.agrawal268@gmail.com>
Date: Sun, 14 Jun 2026 01:43:23 +0530
Subject: [PATCH] Document publishing job boundary

---
 ...n-releases-using-github-actions-ci-cd-workflows.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows.rst b/source/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows.rst
index 3b5e6ed28..ed24f0613 100644
--- a/source/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows.rst
+++ b/source/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows.rst
@@ -131,6 +131,16 @@ So add this to the steps list:
    :start-at: Install pypa/build
    :end-before: publish-to-pypi
 
+.. important::
+
+   Keep building distributions and publishing them in separate jobs. The
+   publishing jobs in this guide intentionally do not check out your project or
+   run build commands. Instead, they only download the distribution files
+   produced by the build job and upload them to the package index. Combining
+   the build and publish steps in the same job is unsupported because it gives
+   the publishing job access to project code and its build-time dependencies
+   while it also has permission to mint publishing credentials.
+
 Defining a workflow job environment
 ===================================