From d0dbfc265cb10f6cfc32cb281e02c3d28b7fab88 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:08:58 -0600 Subject: [PATCH 1/2] ci(release): Migrate to PyPI Trusted Publisher why: Improve security by eliminating stored API tokens and enable package attestations what: - Add OIDC permissions (id-token, attestations) to release job - Remove user/password authentication in favor of trusted publishing - Enable attestations for supply chain security - Fix deprecated skip_existing to skip-existing --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 54318a2ef5..2b2697b007 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -91,6 +91,9 @@ jobs: runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + id-token: write + attestations: write strategy: matrix: @@ -116,6 +119,5 @@ jobs: - name: Publish package uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} - skip_existing: true + attestations: true + skip-existing: true From e433b06ce3a3778100044a20876abc5d90b86f20 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:09:19 -0600 Subject: [PATCH 2/2] docs(CHANGES): Document Trusted Publisher migration (#1000) --- CHANGES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1ffb92d169..495dc23b09 100644 --- a/CHANGES +++ b/CHANGES @@ -31,7 +31,9 @@ $ pipx install --suffix=@next 'tmuxp' --pip-args '\--pre' --force -_Upcoming changes will be written here._ +### CI + +- Migrate to PyPI Trusted Publisher (#1000) ## tmuxp 1.60.0 (2025-12-06)