From da29f4253cdec0d1eb08c4349a7a247455831bd5 Mon Sep 17 00:00:00 2001
From: bhimrazy <bhimrajyadav977@gmail.com>
Date: Tue, 26 May 2026 12:38:18 +0545
Subject: [PATCH 1/5] ci: migrate PyPI release to trusted publishing (OIDC)

---
 .github/workflows/release-pypi.yml | 31 +++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index cbe06344..db7aea61 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -16,7 +16,6 @@ on: # Trigger the workflow on push or pull request, but only for the main branch
 jobs:
   build:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
@@ -34,18 +33,24 @@ jobs:
       - name: Check package
         run: twine check dist/* --strict
 
-      # We do this, since failures on test.pypi aren't that bad
-      #  - name: Publish to Test PyPI
-      #    if: startsWith(github.event.ref, 'refs/tags') || github.event_name == 'release'
-      #    uses: pypa/gh-action-pypi-publish@v1.10.0
-      #    with:
-      #      user: __token__
-      #      password: ${{ secrets.test_pypi_password }}
-      #      repository_url: https://test.pypi.org/legacy/
+      - uses: actions/upload-artifact@v4
+        with:
+          name: pypi-packages-${{ github.sha }}
+          path: dist
+
+  publish-pypi:
+    needs: build
+    if: startsWith(github.event.ref, 'refs/tags') || github.event_name == 'release'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: pypi-packages-${{ github.sha }}
+          path: dist
 
       - name: Publish distribution 📦 to PyPI
-        if: startsWith(github.event.ref, 'refs/tags') || github.event_name == 'release'
         uses: pypa/gh-action-pypi-publish@v1.14.0
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}

From 836eef4c02017c091b571376425d242e33dafc16 Mon Sep 17 00:00:00 2001
From: bhimrazy <bhimrajyadav977@gmail.com>
Date: Tue, 26 May 2026 12:41:27 +0545
Subject: [PATCH 2/5] update

---
 .github/workflows/release-pypi.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index db7aea61..c3e2bb23 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -43,7 +43,6 @@ jobs:
     if: startsWith(github.event.ref, 'refs/tags') || github.event_name == 'release'
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    environment: pypi
     permissions:
       id-token: write
     steps:

From 1a73c4504a16709a56a67ecdf390fb4cc3be1cad Mon Sep 17 00:00:00 2001
From: bhimrazy <bhimrajyadav977@gmail.com>
Date: Tue, 26 May 2026 12:57:33 +0545
Subject: [PATCH 3/5] ci: add release assets upload and pin actions to commit
 SHAs

---
 .github/workflows/release-pypi.yml | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index c3e2bb23..1ec6375c 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -17,8 +17,8 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.10"
 
@@ -33,11 +33,28 @@ jobs:
       - name: Check package
         run: twine check dist/* --strict
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: pypi-packages-${{ github.sha }}
           path: dist
 
+  upload-release-assets:
+    needs: build
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: pypi-packages-${{ github.sha }}
+          path: dist
+      - run: ls -lh dist/
+      - name: Upload to release
+        uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
+        with:
+          files: "dist/*"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
   publish-pypi:
     needs: build
     if: startsWith(github.event.ref, 'refs/tags') || github.event_name == 'release'
@@ -46,10 +63,11 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: pypi-packages-${{ github.sha }}
           path: dist
+      - run: ls -lh dist/
 
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.14.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

From cf89c4e40c3e2dec8bbd623e1340cf15ac1439f7 Mon Sep 17 00:00:00 2001
From: bhimrazy <bhimrajyadav977@gmail.com>
Date: Tue, 26 May 2026 13:11:09 +0545
Subject: [PATCH 4/5] ci: bump artifact and release-assets actions to latest
 stable SHAs

---
 .github/workflows/release-pypi.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index 1ec6375c..f9f5aa78 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Check package
         run: twine check dist/* --strict
 
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: pypi-packages-${{ github.sha }}
           path: dist
@@ -44,13 +44,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: pypi-packages-${{ github.sha }}
           path: dist
       - run: ls -lh dist/
       - name: Upload to release
-        uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
+        uses: AButler/upload-release-assets@34491005a5d7ec239a784e460807ce844fde7962 # v4.0.0
         with:
           files: "dist/*"
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -63,7 +63,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: pypi-packages-${{ github.sha }}
           path: dist

From 2015e1790d1701917b5aeadc4c392e2226d9e587 Mon Sep 17 00:00:00 2001
From: Deependu <deependujha21@gmail.com>
Date: Fri, 29 May 2026 11:33:04 +0530
Subject: [PATCH 5/5] Apply suggestion from @deependujha

---
 .github/workflows/release-pypi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml
index ea3da070..f9f5aa78 100644
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@@ -70,4 +70,4 @@ jobs:
       - run: ls -lh dist/
 
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
\ No newline at end of file
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0