From d1cb17e43fab8257bce22111984887663fa99659 Mon Sep 17 00:00:00 2001
From: Matthew Horoszowski <matthew.horoszowski@gmail.com>
Date: Fri, 1 May 2026 21:14:22 -0400
Subject: [PATCH] ci: add PyPI Trusted Publishing workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds .github/workflows/publish.yml so future releases publish to PyPI
automatically when a GitHub Release is published, using PyPI's OIDC
Trusted Publishing instead of a long-lived API token stored as a repo
secret.

Workflow:
  - build job: checkout, build sdist+wheel, twine check, upload as
    workflow artifact.
  - publish-pypi job: downloads the artifact and uploads to PyPI via
    pypa/gh-action-pypi-publish, gated on the `pypi` environment with
    id-token write permission for OIDC.

One-time setup required on PyPI side (cannot be done from this repo):
  1. https://pypi.org/manage/project/python-pptx-extended/settings/publishing/
  2. Add a GitHub publisher with:
       owner: MHoroszowski
       repository: python-pptx
       workflow: publish.yml
       environment: pypi
  3. (Recommended) Create a `pypi` environment in repo Settings →
     Environments with branch protection requiring tag-based deploys.

Triggering a release after setup:
  - Cut a GitHub Release pointing at a vX.Y.Z tag — this fires the
    workflow on `release: published`.
  - workflow_dispatch is also wired for manual re-runs / overrides.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 59 +++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 000000000..2d4476e1c
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,59 @@
+name: publish
+
+# Builds and publishes python-pptx-extended to PyPI using PyPI Trusted
+# Publishing (OIDC). No long-lived API token is stored in repo secrets — the
+# workflow's identity is verified by PyPI against the configured Trusted
+# Publisher (see one-time setup in the PR description).
+#
+# Triggers:
+#   - GitHub Release published (recommended path: cut a release in the GH UI)
+#   - Manual workflow_dispatch (override / re-run)
+#
+# Tag pushes alone do not trigger this; create a Release pointing at the tag.
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build sdist and wheel
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install build tooling
+        run: python -m pip install --upgrade build
+      - name: Build distributions
+        run: python -m build
+      - name: Verify metadata renders
+        run: |
+          python -m pip install --upgrade twine
+          python -m twine check dist/*
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/python-pptx-extended/
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1