ci: use OIDC trusted publishing via wevm/changelogs (#138)

brendanjryan · web-flow · commit add1c6ba93ff · 2026-05-02T12:30:13.000-07:00
wevm/changelogs now natively supports PyPI Trusted Publishing (OIDC) as of tempoxyz/changelogs#116. When pypi-token is empty and the workflow has id-token: write, it mints a short-lived PyPI API token by exchanging the GitHub OIDC ID token at PyPI's _/oidc/mint-token endpoint, removing the need for a long-lived static API token. Pin to the merge commit (de02501) until a new changelogs release is cut, and grant id-token: write + environment: release to the release job so the OIDC mint flow runs and matches the registered Trusted Publisher (tempoxyz/pympp + publish.yml + release).
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -16,45 +16,16 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-      id-token: write
-    outputs:
-      published: ${{ steps.changelogs.outputs.published }}
+      id-token: write   # required for PyPI Trusted Publishing (OIDC)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true
 
-      - id: changelogs
-        uses: wevm/changelogs@056ab043d7affcd6871e8d972b5b5362e7349b57 # changelogs@0.6.3
+      - uses: wevm/changelogs@de0250123a1d70a2b64a458bd5efcf313986df7a # OIDC trusted publishing
         with:
           ecosystem: python
           python-version: '3.12'
           conventional-commit: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  publish:
-    name: Publish to PyPI
-    needs: release
-    if: needs.release.outputs.published == 'true'
-    runs-on: ubuntu-latest
-    environment: release
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.12'
-
-      - name: Build package
-        run: |
-          pip install build
-          python -m build
-
-      - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
