Commit 34a2575
authored
Use PyPI Trusted Publishing for publishing releases (#640)
### Summary
- Switch PyPI publishing to Trusted Publishing via GitHub OIDC.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Changes how production packages are authenticated and published;
misconfigured PyPI Trusted Publishing or job permissions would block
releases until fixed.
>
> **Overview**
> Release publishing no longer uses a long-lived **`PYPI`** secret with
**`uv publish`**. The **`build-and-publish`** job now grants
**`id-token: write`** (and **`contents: read`**) and uploads
wheels/sdists with **`pypa/gh-action-pypi-publish@release/v1`**, which
authenticates to PyPI through GitHub OIDC Trusted Publishing.
>
> **`uv build`** is unchanged; only the upload step and job permissions
differ.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
dc048fa. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->1 parent ade2e58 commit 34a2575
1 file changed
Lines changed: 4 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
251 | 251 | | |
252 | 252 | | |
253 | 253 | | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
254 | 257 | | |
255 | 258 | | |
256 | 259 | | |
| |||
281 | 284 | | |
282 | 285 | | |
283 | 286 | | |
284 | | - | |
285 | | - | |
286 | | - | |
| 287 | + | |
0 commit comments