diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ef3c93e..ba86c0a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,13 +11,15 @@ on: - '[0-9]+.[0-9]+.[0-9]+' # stable: 2.7.2 - '[0-9]+.[0-9]+.[0-9]+[a-z]+[0-9]+' # pre-release: 2.0.0rc1, 4.0.0a2 -# Needed for softprops/action-gh-release to create the GitHub Release. +# contents: write -> create the GitHub Release; id-token: write -> OIDC for PyPI Trusted Publishing. permissions: contents: write + id-token: write jobs: release: runs-on: ubuntu-latest + environment: pypi # scopes the PyPI Trusted Publisher; hook for approval rules steps: - uses: actions/checkout@v6 - uses: extractions/setup-just@v4 @@ -26,9 +28,9 @@ jobs: # PyPI is irreversible, so it runs FIRST: if it fails the job stops and no # GitHub Release is created advertising a version that never reached PyPI. # `just publish` derives the version from $GITHUB_REF_NAME (the tag name). + # Auth via PyPI Trusted Publishing (OIDC); no PYPI_TOKEN. Needs a Trusted + # Publisher on the modern-di-fastapi PyPI project (env: pypi, workflow: release.yml). - run: just publish - env: - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} # Description source: planning/releases/.md if present (verbatim, no # auto-changelog appended); otherwise GitHub's generated notes. A tag with diff --git a/Justfile b/Justfile index 498be36..e9c010c 100644 --- a/Justfile +++ b/Justfile @@ -32,8 +32,9 @@ test-ci: test-branch: uv run --no-sync pytest --cov=. --cov-branch --cov-fail-under=100 +# Auth via PyPI Trusted Publishing (OIDC); uv publish auto-detects the CI id-token. publish: rm -rf dist uv version $GITHUB_REF_NAME uv build - uv publish --token $PYPI_TOKEN + uv publish