Fix PyPI trusted publisher environment

[zackees]

Summary

• declare the \pypi\ GitHub environment on the PyPI publish job so the OIDC token includes \environment: pypi`n- scope publish job permissions to \contents: read\ and \id-token: write`n- document the exact PyPI Trusted Publisher fields needed for \FastLED/fbuild`n
  Fixes the PyPI trusted publishing failure from https://github.com/FastLED/fbuild/actions/runs/24754127872/job/72425538784, where PyPI rejected the OIDC exchange with \invalid-publisher\ and \environment: MISSING.

Verification

• rebased branch on current \origin/main\ before editing and again before push
• parsed .github/workflows/release-auto.yml\ with PyYAML and asserted \publish-pypi.environment == pypi\ plus expected permissions
• \git diff --check`n- confirmed branch worktree has no untracked or uncommitted files

Summary by CodeRabbit

• Documentation

  • Updated release workflow documentation to clarify PyPI GitHub Actions Trusted Publisher configuration requirements.

• Chores

  • Enhanced release automation security by configuring GitHub Actions environment settings and explicit permission constraints for PyPI publishing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 36b34055-3997-4a07-a493-4f6867f849a2

📥 Commits

Reviewing files that changed from the base of the PR and between 07e9e26 and e6a95ef.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/release-auto.yml

---

📝 Walkthrough

Walkthrough

Updates GitHub Actions workflow configuration and documentation to enforce PyPI Trusted Publisher setup. Adds the pypi GitHub environment declaration to the publish-pypi job and explicit permissions (contents: read, id-token: write) for OIDC token issuance, with supporting documentation on the configuration requirement.

Changes

Cohort / File(s)	Summary
PyPI Trusted Publisher Configuration \.github/workflows/README.md, \.github/workflows/release-auto.yml	Declares GitHub pypi environment in publish-pypi job with read-only repository access and OIDC token write permissions. Documentation clarifies the Trusted Publisher requirement and OIDC token exchange flow for PyPI authentication.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Hoppity-hop, the tokens dance so free,
PyPI's trust now comes from OIDC,
With environment: pypi declared with care,
And permissions set for credentials fair,
Our workflows now publish without despair! 📦

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding the PyPI trusted publisher environment configuration to the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-pypi-trusted-publisher-env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}