From 44988693ab202ad75bf50a5be56a6cde3fcd8a3a Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 18 Mar 2026 19:28:52 +0530
Subject: [PATCH 1/2] Publish vulnerablecode to pypi using trusted publisher

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 .github/workflows/pypi-release.yml | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index f791a2805..80114d975 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -21,12 +21,12 @@ on:
 jobs:
   build-pypi-distribs:
     name: Build and publish library to PyPI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v5
         with:
           python-version: 3.12
 
@@ -37,7 +37,7 @@ jobs:
         run: python -m build --sdist --wheel --outdir dist/
 
       - name: Upload built archives
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: pypi_archives
           path: dist/*
@@ -47,17 +47,17 @@ jobs:
     name: Create GH release
     needs:
       - build-pypi-distribs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: pypi_archives
           path: dist
 
       - name: Create GH release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           draft: true
           files: dist/*
@@ -67,17 +67,18 @@ jobs:
     name: Create PyPI release
     needs:
       - create-gh-release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    environment: pypi-publish
+    permissions:
+      id-token: write
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: pypi_archives
           path: dist
 
       - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@master
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: pypa/gh-action-pypi-publish@release/v1

From 64e41a545fd6ffa86634d200c5086eef60c1cff2 Mon Sep 17 00:00:00 2001
From: Keshav Priyadarshi <git@keshav.space>
Date: Wed, 18 Mar 2026 19:30:15 +0530
Subject: [PATCH 2/2] Do not create GitHub release as draft

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
---
 .github/workflows/pypi-release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 80114d975..8e7a31733 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -59,7 +59,8 @@ jobs:
       - name: Create GH release
         uses: softprops/action-gh-release@v2
         with:
-          draft: true
+          draft: false
+          generate_release_notes: true
           files: dist/*