fix: add OIDC permissions and remove API tokens

savourylie · savourylie · commit a0614efbbcc9 · 2025-08-25T10:48:50.000+08:00
- Add id-token: write permissions for trusted publishing
- Remove API token references in favor of OIDC
- Fixes PyPI publishing authentication
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,6 +66,9 @@ jobs:
     runs-on: ubuntu-latest
     if: (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'test') || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
     environment: test-pypi
+    permissions:
+      id-token: write
+      contents: read
     steps:
     - name: Download build artifacts
       uses: actions/download-artifact@v4
@@ -77,7 +80,6 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
         repository-url: https://test.pypi.org/legacy/
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
 
     - name: Test installation from Test PyPI
       run: |
@@ -90,6 +92,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'production'
     environment: production-pypi
+    permissions:
+      id-token: write
+      contents: read
     steps:
     - name: Download build artifacts
       uses: actions/download-artifact@v4
@@ -99,8 +104,6 @@ jobs:
 
     - name: Publish to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.PYPI_API_TOKEN }}
 
   create-release:
     needs: [build, deploy-production]
