From 5e9ec6a0dc2f133ce7b0e00d4567145117131e11 Mon Sep 17 00:00:00 2001 From: Venkatesh-6921 Date: Wed, 13 May 2026 12:34:32 +0530 Subject: [PATCH] fix: use PYPI_API_TOKEN secret instead of OIDC for PyPI publishing --- .github/workflows/publish.yml | 28 ++-------------------------- CHANGELOG.md | 4 ++-- README.md | 6 ++++-- 3 files changed, 8 insertions(+), 30 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b9c2812..e2ce16f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,10 +5,6 @@ on: tags: - "v*.*.*" -permissions: - contents: read - id-token: write # Required for OIDC trusted publishing - jobs: build: name: Build distribution @@ -44,29 +40,10 @@ jobs: name: dist path: dist/ - - name: Publish to PyPI (OIDC — no token needed) - uses: pypa/gh-action-pypi-publish@release/v1 - - publish-testpypi: - name: Publish to TestPyPI - runs-on: ubuntu-latest - needs: build - environment: - name: testpypi - url: https://test.pypi.org/p/imprint-cli - - steps: - - name: Download dist - uses: actions/download-artifact@v4 - with: - name: dist - path: dist/ - - - name: Publish to TestPyPI (OIDC) + - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: - repository-url: https://upload.pypi.org/legacy/ - skip-existing: true + password: ${{ secrets.PYPI_API_TOKEN }} github-release: name: Create GitHub Release @@ -93,7 +70,6 @@ jobs: python - <<'EOF' import re, os, sys content = open("CHANGELOG.md").read() - # extract section for this version pattern = rf"## \[{re.escape(os.environ['GITHUB_REF_NAME'].lstrip('v'))}\].*?(?=\n## \[|\Z)" match = re.search(pattern, content, re.DOTALL) notes = match.group(0).strip() if match else "See CHANGELOG.md for details." diff --git a/CHANGELOG.md b/CHANGELOG.md index d902486..137cae7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **Snapshot Comparison**: Diff two snapshots side-by-side with `imp compare `. - **Interactive Init Wizard**: Guided first-run setup with `imp init`. - **Nord-Inspired Theme**: Complete UI overhaul with a Nord color palette, two-panel dashboard, progress bars, and branded ASCII logo. -- **OIDC PyPI Publishing**: GitHub Actions workflow with trusted publishing (no API tokens needed). +- **Automated PyPI Publishing**: GitHub Actions workflow using `PYPI_API_TOKEN` secret for secure publishing. - **CI Matrix**: Test against Python 3.11, 3.12, 3.13 on Ubuntu and macOS. - **Dependabot**: Automated dependency updates for pip and GitHub Actions. - **Dry-Run Restore**: Preview what `imp restore` would do without making changes. @@ -42,7 +42,7 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **SSH Config collector**: Restricted to Host aliases only — never captures keys, passwords, or IdentityFile paths. - **Key file permissions**: Encryption keys created with `chmod 0o600`. - **No `shell=True`**: All subprocess calls use list arguments to prevent shell injection. -- **OIDC publishing**: No PyPI API tokens stored in repository or CI. +- **Token-based publishing**: `PYPI_API_TOKEN` stored as GitHub repository secret, never in code. --- diff --git a/README.md b/README.md index 5a0ac27..2e57f08 100644 --- a/README.md +++ b/README.md @@ -116,15 +116,17 @@ All subprocess calls use list arguments (no `shell=True`) to prevent shell injec ## 📦 Publishing -imprint-cli uses **OIDC trusted publishing** — no API tokens needed: +imprint-cli uses GitHub Actions with a `PYPI_API_TOKEN` secret for automated publishing: ```bash -# Tag a release on main +# Tag a release on main (after merging PR) git tag v3.0.0 git push origin main --tags # GitHub Actions automatically builds and publishes to PyPI ``` +> **Setup:** Add your PyPI API token as a repository secret named `PYPI_API_TOKEN` in **Settings → Secrets → Actions**. + --- ## 🤝 Contributing