fix: use PYPI_API_TOKEN secret instead of OIDC for PyPI publishing

.github/workflows/publish.yml

@@ -5,10 +5,6 @@ on:
     tags:
       - "v*.*.*"
 
-permissions:
-  contents: read
-  id-token: write   # Required for OIDC trusted publishing
-
 jobs:
   build:
     name: Build distribution
@@ -44,29 +40,10 @@ jobs:
           name: dist
           path: dist/
 
-      - name: Publish to PyPI (OIDC — no token needed)
-        uses: pypa/gh-action-pypi-publish@release/v1
-
-  publish-testpypi:
-    name: Publish to TestPyPI
-    runs-on: ubuntu-latest
-    needs: build
-    environment:
-      name: testpypi
-      url: https://test.pypi.org/p/imprint-cli
-
-    steps:
-      - name: Download dist
-        uses: actions/download-artifact@v4
-        with:
-          name: dist
-          path: dist/
-
-      - name: Publish to TestPyPI (OIDC)
+      - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          repository-url: https://upload.pypi.org/legacy/
-          skip-existing: true
+          password: ${{ secrets.PYPI_API_TOKEN }}
 
   github-release:
     name: Create GitHub Release
@@ -93,7 +70,6 @@ jobs:
           python - <<'EOF'
           import re, os, sys
           content = open("CHANGELOG.md").read()
-          # extract section for this version
           pattern = rf"## \[{re.escape(os.environ['GITHUB_REF_NAME'].lstrip('v'))}\].*?(?=\n## \[|\Z)"
           match = re.search(pattern, content, re.DOTALL)
           notes = match.group(0).strip() if match else "See CHANGELOG.md for details."

CHANGELOG.md

@@ -22,7 +22,7 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - **Snapshot Comparison**: Diff two snapshots side-by-side with `imp compare <a> <b>`.
 - **Interactive Init Wizard**: Guided first-run setup with `imp init`.
 - **Nord-Inspired Theme**: Complete UI overhaul with a Nord color palette, two-panel dashboard, progress bars, and branded ASCII logo.
-- **OIDC PyPI Publishing**: GitHub Actions workflow with trusted publishing (no API tokens needed).
+- **Automated PyPI Publishing**: GitHub Actions workflow using `PYPI_API_TOKEN` secret for secure publishing.
 - **CI Matrix**: Test against Python 3.11, 3.12, 3.13 on Ubuntu and macOS.
 - **Dependabot**: Automated dependency updates for pip and GitHub Actions.
 - **Dry-Run Restore**: Preview what `imp restore` would do without making changes.
@@ -42,7 +42,7 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - **SSH Config collector**: Restricted to Host aliases only — never captures keys, passwords, or IdentityFile paths.
 - **Key file permissions**: Encryption keys created with `chmod 0o600`.
 - **No `shell=True`**: All subprocess calls use list arguments to prevent shell injection.
-- **OIDC publishing**: No PyPI API tokens stored in repository or CI.
+- **Token-based publishing**: `PYPI_API_TOKEN` stored as GitHub repository secret, never in code.
 
 ---
 

README.md

@@ -116,15 +116,17 @@ All subprocess calls use list arguments (no `shell=True`) to prevent shell injec
 
 ## 📦 Publishing
 
-imprint-cli uses **OIDC trusted publishing** — no API tokens needed:
+imprint-cli uses GitHub Actions with a `PYPI_API_TOKEN` secret for automated publishing:
 
 ```bash
-# Tag a release on main
+# Tag a release on main (after merging PR)
 git tag v3.0.0
 git push origin main --tags
 # GitHub Actions automatically builds and publishes to PyPI
 ```
 
+> **Setup:** Add your PyPI API token as a repository secret named `PYPI_API_TOKEN` in **Settings → Secrets → Actions**.
+
 ---
 
 ## 🤝 Contributing