ci(release): Migrate to PyPI Trusted Publisher (#57)

tony · web-flow · commit d5cd6306c60f · 2025-12-07T16:41:19.000-06:00
- Migrate PyPI publishing from API token to OIDC-based Trusted Publisher
- Enable package attestations for supply chain security
- Fix deprecated `skip_existing` parameter
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -59,6 +59,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+      attestations: write
 
     strategy:
       matrix:
@@ -86,6 +89,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true
diff --git a/CHANGES b/CHANGES
@@ -28,7 +28,9 @@ $ uvx --from 'gp-libs' --prerelease allow gp-libs
 
 ## gp-libs 0.0.17 (unreleased)
 
-_Add your latest changes from PRs here_
+### CI
+
+- Migrate to PyPI Trusted Publisher (#57)
 
 ## gp-libs 0.0.16 (2025-11-25)
 
