From cea4fc5a9380f1b65d5ca56e5c689817fa8f12be Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:34 -0600 Subject: [PATCH 1/3] ci(release): Migrate to PyPI Trusted Publisher why: Improve security by eliminating stored API tokens and enable package attestations what: - Add OIDC permissions (id-token, attestations) to release job - Remove user/password authentication in favor of trusted publishing - Enable attestations for supply chain security - Fix deprecated skip_existing to skip-existing --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 7f551b5..a6edf58 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -49,6 +49,9 @@ jobs: runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + id-token: write + attestations: write strategy: matrix: @@ -76,6 +79,5 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@release/v1 with: - user: __token__ - password: ${{ secrets.PYPI_API_TOKEN }} - skip_existing: true + attestations: true + skip-existing: true From 981e6f44f29121747b84d4fac6d08c900bbee26c Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 15:15:56 -0600 Subject: [PATCH 2/3] docs(CHANGES): Document Trusted Publisher migration (#43) --- CHANGES | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 0c80d86..edb46da 100644 --- a/CHANGES +++ b/CHANGES @@ -29,10 +29,12 @@ $ uvx --from 'g' --prerelease allow g ## g 0.0.9 (unreleased) -- _Notes on upcoming releases will be added here_ - +### CI + +- Migrate to PyPI Trusted Publisher (#43) + ## g 0.0.8 (2025-11-01) ### Breaking changes From ef7416f647fc935453a24c0eeb4e2eba72c17a39 Mon Sep 17 00:00:00 2001 From: Tony Narlock Date: Sun, 7 Dec 2025 16:31:52 -0600 Subject: [PATCH 3/3] ai(rules[AGENTS]): Clarify namespace imports for stdlib only --- AGENTS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index 6b09836..85d7428 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -109,7 +109,7 @@ tests/test_cli.py ## Coding Standards - Include `from __future__ import annotations` at the top of Python modules. -- Use namespace imports: `import typing as t`, `import logging`, etc.; avoid `from typing import ...`. +- Use namespace imports for stdlib: `import typing as t`, `import logging`, etc.; third-party packages may use `from X import Y`. - Follow NumPy-style docstrings (see existing docstrings in `run` and pytest config requiring `pydocstyle` via ruff). - Ruff is the source of truth for lint rules; see `pyproject.toml` for enabled checks (E, F, I, UP, A, B, C4, COM, EM, Q, PTH, SIM, TRY, PERF, RUF, D, FA100). - Type checking is strict (`mypy --strict`); favor precise types and avoid `Any` unless necessary.