From 0b699cca393b4f6ca4a1cab0efcf1838bb52438f Mon Sep 17 00:00:00 2001
From: Chris Sewell <chrisj_sewell@hotmail.com>
Date: Tue, 19 May 2026 13:27:50 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20Switch=20PyPI=20publishing=20to?=
 =?UTF-8?q?=20trusted=20publishing=20(OIDC)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace long-lived API token with PyPI trusted publishing via
pypa/gh-action-pypi-publish. This uses short-lived OIDC credentials
scoped to the CI workflow, eliminating the need for stored secrets.
---
 .github/workflows/tests.yml | 50 ++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index f68f84dd..7c56db48 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -126,49 +126,43 @@ jobs:
 
   publish:
 
-    name: Publish myst-parser to PyPi
+    name: Publish myst-parser to PyPI
     needs:
     - check
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/p/myst-parser
     steps:
-    - name: Checkout source
-      uses: actions/checkout@v6
-    - name: Set up Python 3.11
-      uses: actions/setup-python@v6
+    - uses: actions/checkout@v6
+    - uses: actions/setup-python@v6
       with:
         python-version: "3.11"
-    - name: install flit
-      run: |
-        pip install flit~=3.4
-    - name: Build and publish
-      run: |
-        flit publish
-      env:
-        FLIT_USERNAME: __token__
-        FLIT_PASSWORD: ${{ secrets.PYPI_KEY }}
+    - run: pip install flit~=3.4
+    - run: flit build
+    - uses: pypa/gh-action-pypi-publish@release/v1
 
   publish-docutils:
 
-    name: Publish myst-docutils to PyPi
+    name: Publish myst-docutils to PyPI
     needs: [publish]
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/p/myst-docutils
     steps:
-    - name: Checkout source
-      uses: actions/checkout@v6
-    - name: Set up Python 3.11
-      uses: actions/setup-python@v6
+    - uses: actions/checkout@v6
+    - uses: actions/setup-python@v6
       with:
         python-version: "3.11"
-    - name: install flit and tomlkit
-      run: |
-        pip install flit~=3.4 tomlkit
+    - run: pip install flit~=3.4 tomlkit
     - name: Modify setup
       run: python .github/workflows/docutils_setup.py pyproject.toml README.md
-    - name: Build and publish
-      run: |
-        flit publish
-      env:
-        FLIT_USERNAME: __token__
-        FLIT_PASSWORD: ${{ secrets.PYPI_KEY_DOCUTILS }}
+    - run: flit build
+    - uses: pypa/gh-action-pypi-publish@release/v1