From a5239bb8d7cd680dd3345e6d214addcc93c7fb6b Mon Sep 17 00:00:00 2001
From: David Zhao <dz@livekit.io>
Date: Thu, 15 May 2025 11:09:29 -0700
Subject: [PATCH 1/4] use trusted publishers instead of id token

---
 .github/workflows/build-protocol.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/build-protocol.yml b/.github/workflows/build-protocol.yml
index 18e90e6f..836dd68d 100644
--- a/.github/workflows/build-protocol.yml
+++ b/.github/workflows/build-protocol.yml
@@ -90,9 +90,6 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]

From 73e321c64b6cbb85471263cbbd2e303f546c99a9 Mon Sep 17 00:00:00 2001
From: David Zhao <dz@livekit.io>
Date: Thu, 15 May 2025 11:12:13 -0700
Subject: [PATCH 2/4] allow publishing for testing

---
 .github/workflows/build-protocol.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-protocol.yml b/.github/workflows/build-protocol.yml
index 836dd68d..44a83033 100644
--- a/.github/workflows/build-protocol.yml
+++ b/.github/workflows/build-protocol.yml
@@ -82,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/protocol-v')
+
     steps:
       - uses: actions/download-artifact@v4
         with:

From 61e73f16fb0b3569d39305a3c3c073617b9c04b0 Mon Sep 17 00:00:00 2001
From: David Zhao <dz@livekit.io>
Date: Thu, 15 May 2025 11:14:05 -0700
Subject: [PATCH 3/4] restore publish on tags

---
 .github/workflows/build-protocol.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-protocol.yml b/.github/workflows/build-protocol.yml
index 44a83033..836dd68d 100644
--- a/.github/workflows/build-protocol.yml
+++ b/.github/workflows/build-protocol.yml
@@ -82,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-
+    if: startsWith(github.ref, 'refs/tags/protocol-v')
     steps:
       - uses: actions/download-artifact@v4
         with:

From 6d14c46fff391096b58e95c81072ae0449dbf633 Mon Sep 17 00:00:00 2001
From: David Zhao <dz@livekit.io>
Date: Thu, 15 May 2025 12:56:20 -0700
Subject: [PATCH 4/4] switch api and rtc as well

---
 .github/workflows/build-api.yml      | 5 +----
 .github/workflows/build-protocol.yml | 2 +-
 .github/workflows/build-rtc.yml      | 5 +----
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-api.yml b/.github/workflows/build-api.yml
index 941c2bee..82c09249 100644
--- a/.github/workflows/build-api.yml
+++ b/.github/workflows/build-api.yml
@@ -50,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/api-v')
+    if: startsWith(github.ref, 'refs/tags/api-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -58,9 +58,6 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]
diff --git a/.github/workflows/build-protocol.yml b/.github/workflows/build-protocol.yml
index 836dd68d..21357a68 100644
--- a/.github/workflows/build-protocol.yml
+++ b/.github/workflows/build-protocol.yml
@@ -82,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/protocol-v')
+    if: startsWith(github.ref, 'refs/tags/protocol-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
diff --git a/.github/workflows/build-rtc.yml b/.github/workflows/build-rtc.yml
index 791b57f3..d457eeef 100644
--- a/.github/workflows/build-rtc.yml
+++ b/.github/workflows/build-rtc.yml
@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    if: startsWith(github.ref, 'refs/tags/rtc-v')
+    if: startsWith(github.ref, 'refs/tags/rtc-v') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -135,9 +135,6 @@ jobs:
           merge-multiple: true
 
       - uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
 
   docs:
     needs: [publish]