Fix release workflow to use trusted publishing (#949)

athackst · github-actions[bot] · web-flow · commit afc6c472629d · 2026-03-12T12:35:35.000-07:00
* Fix release workflow to use trusted publishing

* chore: apply automated version bump

---------

Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/.github/bump.sh b/.github/bump.sh
@@ -1,2 +1,2 @@
 echo "Bumping version to ${VERSION}"
-echo "v${VERSION}" > VERSION
+echo "${VERSION}" > VERSION
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,24 +6,47 @@ on:
   workflow_dispatch:
 
 jobs:
-  release-pypi:
+  build-pypi:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: "3.x"
           cache: 'pip'
-      - name: Build and Publish
-        env:
-          HATCH_INDEX_USER: ${{ secrets.PYPI_USERNAME }}
-          HATCH_INDEX_AUTH: ${{ secrets.PYPI_PASSWORD }}
+      - name: Build distributions
         run: |
           python -m pip install --upgrade pip
-          pip install -U hatch
-          hatch build
-          hatch publish 
+          python -m pip install build hatchling
+          python -m build
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v5
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  release-pypi:
+    name: Upload release to PyPI
+    needs:
+    - build-pypi
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/mkdocs-simple-plugin
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v6
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+
   release-docker:
     runs-on: ubuntu-latest
     steps:
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ dist/
 venv/
 docs/
 artifact.tar
+.env
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v4.0.1
+4.0.1

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`echo "Bumping version to ${VERSION}"`
`2`		`-echo "v${VERSION}" > VERSION`
	`2`	`+echo "${VERSION}" > VERSION`
-Original file line number
+Diff line change
 venv/
 docs/
 artifact.tar
 +.env