From ed84f30b3c22c63884578a813673001b3733fdc2 Mon Sep 17 00:00:00 2001
From: Gerrod Ubben <gerrodubben@gmail.com>
Date: Tue, 28 Oct 2025 14:37:54 -0400
Subject: [PATCH 1/3] Update publish workflow to use PyPI Trusted Publisher

---
 .../github/.github/workflows/publish.yml.j2   | 41 ++++++-------------
 1 file changed, 13 insertions(+), 28 deletions(-)

diff --git a/templates/github/.github/workflows/publish.yml.j2 b/templates/github/.github/workflows/publish.yml.j2
index ae6a448a..87f825a9 100644
--- a/templates/github/.github/workflows/publish.yml.j2
+++ b/templates/github/.github/workflows/publish.yml.j2
@@ -30,27 +30,21 @@ jobs:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "{{ '${{ secrets.GITHUB_TOKEN }}' }}"
+    environment:
+      name: "pypi"
+      url: "https://pypi.org/p/{{ plugin_name | dash }}"
+    permissions:
+      id-token: "write"
 
     steps:
-      {{ checkout(depth=1, path=plugin_name) | indent(6) }}
-
       - uses: "actions/download-artifact@v4"
         with:
           name: "plugin_package"
-          path: "{{ plugin_name }}/dist/"
+          path: "dist/"
 
-      {{ setup_python() | indent(6) }}
+      - name: "Publish package to PyPI"
+        uses: pypa/gh-action-pypi-publish@release/v1
 
-      {{ install_python_deps(["twine"]) | indent(6) }}
-
-      {{ set_secrets() | indent(6) }}
-
-      - name: "Deploy plugin to pypi"
-        run: |
-          .github/workflows/scripts/publish_plugin_pypi.sh {{ "${{ github.ref_name }}" }}
   {%- endif %}
 
   {%- if plugins %}
@@ -59,18 +53,16 @@ jobs:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "{{ '${{ secrets.GITHUB_TOKEN }}' }}"
+    environment:
+      name: "pypi"
+    permissions:
+      id-token: "write"
 
     steps:
-      {{ checkout(depth=1, path=plugin_name) | indent(6) }}
-
       - name: "Download Python client"
         uses: "actions/download-artifact@v4"
         with:
           name: "python-client.tar"
-          path: "{{ plugin_name }}/"
 
       - name: "Untar python client packages"
         run: |
@@ -78,15 +70,8 @@ jobs:
           tar -xvf {{ plugin.app_label }}-python-client.tar
           {%- endfor %}
 
-      {{ setup_python() | indent(6) }}
-
-      {{ install_python_deps(["twine"]) | indent(6) }}
-
-      {{ set_secrets() | indent(6) }}
-
       - name: "Publish client to pypi"
-        run: |
-          bash .github/workflows/scripts/publish_client_pypi.sh {{ "${{ github.ref_name }}" }}
+        uses: pypa/gh-action-pypi-publish@release/v1
   {%- endif %}
 
   {%- if deploy_client_to_rubygems %}

From b35190db0ba7c20bde872c81b64b1e8913950473 Mon Sep 17 00:00:00 2001
From: Gerrod Ubben <gerrodubben@gmail.com>
Date: Thu, 30 Oct 2025 14:14:06 -0400
Subject: [PATCH 2/3] Update publish workflow to use RubyGems Trusted Publisher

---
 .../github/.github/workflows/publish.yml.j2   | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/templates/github/.github/workflows/publish.yml.j2 b/templates/github/.github/workflows/publish.yml.j2
index 87f825a9..c098d795 100644
--- a/templates/github/.github/workflows/publish.yml.j2
+++ b/templates/github/.github/workflows/publish.yml.j2
@@ -79,18 +79,16 @@ jobs:
     runs-on: "ubuntu-latest"
     needs:
       - "build"
-
-    env:
-      GITHUB_TOKEN: "{{ "${{ secrets.GITHUB_TOKEN }}" }}"
+    environment:
+      name: "rubygems"
+    permissions:
+      id-token: "write"
 
     steps:
-      {{ checkout(depth=1, path=plugin_name) | indent(6) }}
-
       - name: "Download Ruby client"
         uses: "actions/download-artifact@v4"
         with:
           name: "ruby-client.tar"
-          path: "{{ plugin_name }}/"
 
       - name: "Untar Ruby client packages"
         run: |
@@ -100,11 +98,14 @@ jobs:
 
       {{ setup_ruby() | indent(6) }}
 
-      {{ set_secrets() | indent(6) }}
+      - name: "Set RubyGems Credentials"
+        uses: "rubygems/configure-rubygems-credentials@v1.0.0"
 
-      - name: "Publish client to rubygems"
+      - name: "Publish client to RubyGems"
         run: |
-          bash .github/workflows/scripts/publish_client_gem.sh {{ "${{ github.ref_name }}" }}
+          {%- for plugin in plugins %}
+          gem push "{{ plugin.name | snake }}_client-{{ "${{ github.ref_name }}" }}.gem"
+          {%- endfor %}
   {%- endif %}
   {%- endif %}
 

From b161dd7371840ba213974b43e9cc8665a666da8a Mon Sep 17 00:00:00 2001
From: Gerrod Ubben <gerrodubben@gmail.com>
Date: Thu, 30 Oct 2025 15:21:34 -0400
Subject: [PATCH 3/3] Restore checkout to client publishing steps

---
 templates/github/.github/workflows/publish.yml.j2 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/templates/github/.github/workflows/publish.yml.j2 b/templates/github/.github/workflows/publish.yml.j2
index c098d795..d8cc125d 100644
--- a/templates/github/.github/workflows/publish.yml.j2
+++ b/templates/github/.github/workflows/publish.yml.j2
@@ -59,10 +59,13 @@ jobs:
       id-token: "write"
 
     steps:
+      {{ checkout(depth=1, path=plugin_name) | indent(6) }}
+
       - name: "Download Python client"
         uses: "actions/download-artifact@v4"
         with:
           name: "python-client.tar"
+          path: "{{ plugin_name }}/"
 
       - name: "Untar python client packages"
         run: |
@@ -72,6 +75,8 @@ jobs:
 
       - name: "Publish client to pypi"
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: "{{ plugin_name }}/dist/"
   {%- endif %}
 
   {%- if deploy_client_to_rubygems %}
@@ -85,10 +90,13 @@ jobs:
       id-token: "write"
 
     steps:
+      {{ checkout(depth=1, path=plugin_name) | indent(6) }}
+
       - name: "Download Ruby client"
         uses: "actions/download-artifact@v4"
         with:
           name: "ruby-client.tar"
+          path: "{{ plugin_name }}/"
 
       - name: "Untar Ruby client packages"
         run: |