ci: convert to OIDC trusted publishing via pypa/gh-action-pypi-publish

Coding-Dev-Tools · Coding-Dev-Tools · commit f4075a97d306 · 2026-05-18T22:27:45.000-04:00
Replaces token-based twine upload with OpenID Connect (OIDC) trusted
publishing using pypa/gh-action-pypi-publish@release/v1. This eliminates
the need for PYPI_API_TOKEN and TEST_PYPI_API_TOKEN secrets.

Human step: register the repo at pypi.org as a trusted publisher.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -14,46 +14,43 @@ on:
           - testpypi
 
 jobs:
-  build-and-publish:
+  publish:
     runs-on: ubuntu-latest
+    environment: pypi
     permissions:
-      contents: read
       id-token: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           persist-credentials: false
 
-      - name: Set up Python 3.11
+      - name: Set up Python 3.12
         uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
-      - name: Install build deps
+      - name: Install dependencies
         run: |
+          python -m pip install --upgrade pip
           pip install build twine
 
       - name: Lint with ruff
         run: pip install ruff && ruff check src/ --target-version py310
 
       - name: Build package
-        run: |
-          python -m build
+        run: python -m build
 
-      - name: Publish to PyPI
-        if: ${{ inputs.pypi_target != 'testpypi' || github.event_name == 'release' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: |
-          twine upload dist/* --verbose
+      - name: Check package
+        run: twine check dist/*
 
       - name: Publish to TestPyPI
         if: ${{ inputs.pypi_target == 'testpypi' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        run: |
-          twine upload --repository testpypi dist/* --verbose
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+      - name: Publish to PyPI
+        if: ${{ inputs.pypi_target == 'pypi' || github.event_name == 'release' }}
+        uses: pypa/gh-action-pypi-publish@release/v1
 
