From d55c4ea702116010b8e2d825a655761081d5009e Mon Sep 17 00:00:00 2001 From: Brady Holt Date: Thu, 2 Jul 2026 11:43:10 -0500 Subject: [PATCH 1/2] Use PyPI Trusted Publishing for releases Replace the API-token-based poetry publish with the official pypa/gh-action-pypi-publish action, which authenticates via OIDC now that GitHub Actions is configured as a Trusted Publisher on PyPI. The job's permissions are now declared explicitly to grant id-token: write, restoring contents/issues/pull-requests access the release steps relied on implicitly. --- .github/workflows/publish.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 27297be..b3e1efa 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,6 +13,11 @@ on: jobs: publish: runs-on: ubuntu-latest + permissions: + id-token: write # required for PyPI Trusted Publishing (OIDC) + contents: write # create the GitHub Release + issues: write # comment on PRs included in the release + pull-requests: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -45,9 +50,7 @@ jobs: git commit -m 'Bumping version for ${{ steps.bump_version.outputs.new_version }}' git push - name: Publish to PyPI - env: - POETRY_PYPI_TOKEN_PYPI: ${{ secrets.POETRY_PYPI_TOKEN_PYPI }} - run: poetry publish + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - name: Create a Release id: create-release uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 From 9fd31c140fc6ceb910fbc0d5465dc734ff55b482 Mon Sep 17 00:00:00 2001 From: Brady Holt Date: Thu, 2 Jul 2026 13:46:12 -0500 Subject: [PATCH 2/2] Drop unneeded issues: write permission from publish workflow Commenting on PRs via the issues API keys its permission off the target resource, so pull-requests: write covers it. The workflow never comments on a real issue, so issues: write was unnecessary. --- .github/workflows/publish.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b3e1efa..12a4df5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,8 +16,7 @@ jobs: permissions: id-token: write # required for PyPI Trusted Publishing (OIDC) contents: write # create the GitHub Release - issues: write # comment on PRs included in the release - pull-requests: write + pull-requests: write # comment on PRs included in the release steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: