From d96ecda408cb4f897ecfae449e48bfec58aee6dd Mon Sep 17 00:00:00 2001
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Date: Mon, 1 Jun 2026 19:41:31 +0200
Subject: [PATCH 1/2] chore(ci): restrict OIDC token to publish job

---
 .github/workflows/release.yml | 40 ++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0583229..f2a4bb3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,18 +8,11 @@ name: release
 permissions: {}
 
 jobs:
-  pypi:
-    name: upload release to PyPI
+  build:
+    name: build release distributions
     runs-on: ubuntu-latest
-    environment: release
     permissions:
-      # Used for OIDC publishing.
-      # Used to sign the release's artifacts with sigstore-python.
-      id-token: write
-
-      # Used to attach signing artifacts to the published release.
-      contents: write
-
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -35,6 +28,33 @@ jobs:
       - name: build
         run: python -m build
 
+      - name: upload distributions
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: distributions
+          path: dist/
+          if-no-files-found: error
+
+  pypi:
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    needs: build
+    environment: release
+    permissions:
+      # Used for OIDC publishing.
+      # Used to sign the release's artifacts with sigstore-python.
+      id-token: write
+
+      # Used to attach signing artifacts to the published release.
+      contents: write
+
+    steps:
+      - name: download distributions
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: distributions
+          path: dist/
+
       - name: publish
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:

From 0b9ff47e8cba3b2f9c6ed530948980ecfa2be394 Mon Sep 17 00:00:00 2001
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Date: Mon, 1 Jun 2026 19:47:51 +0200
Subject: [PATCH 2/2] chore(ci): drop redundant CI settings

attestations already defaults to true, and the publish job does not need
contents: write.
---
 .github/workflows/release.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f2a4bb3..332e646 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -45,9 +45,6 @@ jobs:
       # Used to sign the release's artifacts with sigstore-python.
       id-token: write
 
-      # Used to attach signing artifacts to the published release.
-      contents: write
-
     steps:
       - name: download distributions
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -57,5 +54,3 @@ jobs:
 
       - name: publish
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
-        with:
-          attestations: true