From 6c7ca09babc0a591bc313138203f80d17c563cc3 Mon Sep 17 00:00:00 2001 From: Nikolaus Waxweiler Date: Tue, 23 Sep 2025 11:51:46 +0100 Subject: [PATCH] Use trusted publishing In light of the recent npm supply chain attacks and also https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/, I'm combing through our font stack to see if all them Py projects are using the trusted publisher mechanism as recommended by PyPI. See https://docs.pypi.org/trusted-publishers/ and https://docs.astral.sh/uv/guides/integration/github/#publishing-to-pypi. Someone needs to do three things for this PR to work: * Create an environment called "publish-to-pypi" in this GitHub repository under Settings -> Environments. Creating alone is probably enough, no configuration needed I think. * Follow https://docs.pypi.org/trusted-publishers/adding-a-publisher/ to set up the other side on PyPI. * Remove tokens/secret variables here so they can't be exfiltrated anymore, and probably also remove them from PyPI. --- .github/workflows/ci.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a86faba..0043beb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -74,6 +74,11 @@ jobs: needs: [build_sdist, build_wheels] runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' + environment: + name: publish-to-pypi + url: https://pypi.org/p/opentype-sanitizer + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing. steps: - uses: actions/download-artifact@v4 @@ -81,7 +86,5 @@ jobs: path: dist merge-multiple: true - - uses: pypa/gh-action-pypi-publish@v1.12.0 - with: - user: __token__ - password: ${{ secrets.PYPI_PASSWORD }} + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@v1.13.0